RE: Confusion about SSL_ERROR_WANT_READ/WRITE

Fri, 15 Apr 2005 16:58:51 -0700 

> I have an app where reads and writes happen from different threads.
> Now, ideally, one would envision that I just replace the reads/writes
> with SSL_read/SSL_write.  Now I know it is not as simple as that.

        You need to wrap each SSL connection with a lock and hold that lock when
you call SSL_read or SSL_write. This will prevent concurrent accesses to the
same connection from different threads, which is not supported.

> What exactly is the meaning of the SSL_ERROR_WANT_READ/WRITE errors?
[snip]

        The OpenSSL connection does not have exactly the same semantics as a TCP
connection. Say you try to send data before the handshaking is finished.
OpenSSL cannot send any data over the socket until it reads the handshake
from the other side.So a 'WANT_READ' error means that OpenSSL needs to read
some encrypted data from the other side before it can write the application
data you want to send.

        The way you deal with these is just by not doing the thing that the 
error
stops you from doing until you've made some forward progress. There are four
things you are happening:

        1) If the application wants to send some plaintext, that plaintext has 
to
go OpenSSL to encrypt.

        2) If OpenSSL has some decrypted data, it need to get to the 
application.

        3) If some encrypted data is (ready on / received on) the socket, it 
needs
to get to OpenSSL.

        4) If OpenSSL has some encrypted data to send, and the socket is ready 
to
receive, the data needs to b sent.

        These operations inter-relate. Sometimes it's obvious, for example, you
can't receive any decrypted data until the encrypted data is ready on the
socket. However, sometimes it's not obvious.

        So say you go to send some data using SSL_write and you get 'WANT_READ'.
That means OpenSSL wants to read some encrypted data from the other side
before it can do the send. So you could, for example, 'select' on the socket
and when there's data to read, call OpenSSL again. It will then do step 3
itself.

        If you go to receive some data using SSL_read and get 'WANT_WRITE, that
means OpenSSL can't receive any data because it has to send some data to the
other side first. So you could 'select' for write to wait for the socket
buffer to drain and then call OpenSSL again.

        DS


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to