RE: SSL_read/SSL_write and select

Mon, 03 Aug 2009 17:01:24 -0700 

Luiz Rafael Culik Guimaraes wrote:

> How to use properly SSL_read/SSL_write with select?

Make sure to set the socket/BIO non-blocking. Call SSL_read or SSL_write
when you want to read or write plaintext to/from the SSL connection. *Only*
call 'select' on the underlying socket if OpenSSL specifically tells you to.

> my default code with use standart api, make an call to select
> before call to
> recv/send api

That won't work. Just because you want to receive unencrypted data, you
cannot assume that OpenSSL needs to receive encrypted data to do it. For
example, it may already have received the data from the socket. Don't try to
"look into" or "look through" the OpenSSL state machine. Treat it like a
black box with an encrypted side and a plaintext side.


>       if( hb_selectReadSocket( Socket ) )
>       {
>          iLen = SSL_read( Socket->pSSL, &cChar, 1 );
>          iRet = SSL_get_error( Socket->pSSL, iLen) ;
>          Socket->errorCode = iRet;
>       }

Here you are "looking through" the OpenSSL black box. You are saying if
encrypted data has been received by the black box, then I'll ask it for
plaintext. But this is an unecessary assumption that will not always be
correrct. So don't make it. Just call SSL_read if you want to read
plaintext. *Don't* call 'select' first because you have no idea whether or
not OpenSSL needs to read encrypted data.

> So , how can i change so can work correctly with openssl
> SSL_read/SSL_write
> api

When you want to read plaintext, call SSL_read. When you want to write
plaintext, call SSL_write. If OpenSSL cannot make forward progress because
it needs to read or write to or from the socket, it will tell you with a
WANT_READ/WANT_WRITE indication. *Then* you can call 'select'.

Note that the two directions of an OpenSSL connection are not independent.
Any forward progress in either direction invalidates a previous WANT_*
indication in the other direction.

DS


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to