I always try to do an SSL_read every time I give a new packet to OpenSSL library, It's true that I only try it once per packet I give.
Maybe I should try SSL_pending after this read, to ensure that aren't more data. Normally SSL_pending return 0, even before trying to read. When I call to SSL_read and it give me an error, as I said, the next time I call SSL_read it give me a wrong buffer but it's size is correct according last SSL_write from the other computer. But at least the first bytes of the block are not correct, because it doesn't appear as a IPv4 valid packet (I mean an internal packet from the inside of the VPN). And also any of the next SSL_reads return a valid decoded block or at least not starting from the first byte. And none of them return any SSL_* error. I really think it could be a problem of buffers management. I also don't trust the DTLS implementation just because I know any application how make an extensive usage of this implementation/protocol. Maybe anybody can propose a test to get more information about this problem. Thanks, for the reply. Pau On Sat, Aug 30, 2008 at 12:56 AM, Kyle Hamilton <[EMAIL PROTECTED]> wrote: > If SSL_read or SSL_write return SSL_WANT_READ or SSL_WANT_WRITE, just > at some point call them again. It means either that insufficient data > has actually come in to decrypt the next SSL packet, or that there's a > request for a renegotiation, or whathaveyou. The SSL_read and > SSL_write functions will do the appropriate underlying reading and > writing, but they return because it might take a while for the > negotiation to take place and it doesn't make sense to prevent any > other connections that the same thread is managing. (In the case of > DTLS, if your application data block is larger than about 3/4 of the > MTU, it's going to need to be split across multiple IP datagrams. I > haven't looked at the DTLS code itself to figure out if it's only > reading one datagram at a time and thus possibly returning SSL_WANT_* > when it's been split in those circumstances.) > > They aren't really 'errors', they're more like errno being set to > EAGAIN -- the desired semantic of the call cannot be completed at this > time, but there's no particular reason why it won't work the next time > you call it. > > What happens when you call SSL_read or SSL_write after getting SSL_WANT_*? > > -Kyle H ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
