SSL_read() returning SSL_ERROR_SYSCALL with errno 11 EAGAIN

John Unsworth John.Unsworth at synchronoss.com
Thu May 2 09:56:45 UTC 2019


Create a non-blocking TCP socket 
	socket() for a sock_stream.
	connect().
	SSL_new(), SSL_set_fd(), SSL_connect().

The application sends LDAP operations from many threads. We have just one thread that reads LDAP results. If an operation is outstanding then the result thread does (simplified):

SSL_read()
If > 0 return data.
Else if SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE then poll(); back to SSL_read() when data available.
Else return error and disconnect.

Don't know what protocol was negotiated or what the server does in terms of returned data. TCP/OpenSSL handle that.
Both ends OpenSSL 1.1.0h.
Problem seems to occur at random - only reproducable on customer site and after a long time running their soak test.

Regards,
John.

-----Original Message-----
From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Viktor Dukhovni
Sent: 02 May 2019 07:25
To: openssl-users at openssl.org
Subject: Re: SSL_read() returning SSL_ERROR_SYSCALL with errno 11 EAGAIN

CAUTION: This email originated from outside of Synchronoss.


> On May 1, 2019, at 9:47 AM, John Unsworth <John.Unsworth at synchronoss.com> wrote:
>
> Create a non-blocking TCP socket.
> Call SSL_new(), SSL_set_fd(), SSL_connect() Thereafter call 
> SSL_read().
> Renegotiates handled by OpenSSL.

Can you be more specific about "Create a non-blocking TCP socket"?
That fully sets up the TCP connection?

Also, with the non-blocking connection, how do you decide when to read?
Are you using poll()? select()? epoll()?  And did they report available data?

In this particular case, was the client trying to read the initial bytes of the server's reply having received nothing yet in response to its query?  Or was it in the middle of reading a data stream?

When reading TLS records OpenSSL first reads the record layer header which indicates the payload length, and then tries to read that many bytes.  Does the server send the record layer header in the same TCP segment as the payload, or in separate segments?

Do you know what protocol version was negotiated?  Are both ends using OpenSSL?  What version on the server side? ...

Can you reproduce the problem after sufficiently many client server interactions?  Can you get PCAP files of any problem cases?

--
        Viktor.



More information about the openssl-users mailing list