> > I always call SSL_pending() before going into select(), as far as I > > understand that should be sufficient. Anyways, the server is not hanging > > in select(), it is definitely inside SSL_read(). > Ok, just checking :-)
I think there is a bug in the library... I've added some debug printouts to s_client and here is what I get: calling SSL_write after SSL_write: write 6 bytes, 0 select returned 1 fd, read: 1, write 0 calling SSL_read SSL_connect:SSL renegotiate ciphers SSL_connect:SSLv3 write client hello A SSL_connect:error in SSLv3 read server hello A after SSL_read: 9 bytes, 0 select returned 1 fd, read: 1, write 0 calling SSL_read SSL_connect:SSLv3 read server hello A ... verify error:num=20:unable to get local issuer certificate verify return:1 ... verify error:num=27:certificate not trusted verify return:1 ... verify error:num=21:unable to verify the first certificate verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A and it is stuck. So we call blocking SSL_read() based on select(), but select saw data that was part of the renegotiating process, so SSL_read() has nothign to return and it hangs. It should be returning WANT_READ, but I think it is getting confused because we have two calls to SSL_read and the second one does not realize that there is renegotiation going on. Contrast with the log of the working scenario (notice there is only one call of SSL_read() this time): calling SSL_write after SSL_write: 7 bytes, 0 select returned 1 fd, read: 1, write 0 calling SSL_read SSL_connect:SSL renegotiate ciphers SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A ... verify error:num=20:unable to get local issuer c verify return:1 ... verify error:num=27:certificate not trusted verify return:1 ... verify error:num=21:unable to verify the first c verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A after SSL_read: -1, 2 read R BLOCK You see, this time our SSL_read() blocks until the renegotiation is complete and then returns WANT_READ. So I don't see a safe way of calling blocking SSL_read() knowing that it will for sure have something to return. Bug? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
