Sebastián Treu wrote: > Hi David, > > >>> Others things are to instantaneously put that client in a wait list >>> when SSL_write() could not succed, continue with the others, and try >>> with that client again later. But, sometimes we can get a WANT_WRITE >>> or WANT_READ when renegotiating so this does not appears a solution. >> I don't follow. Why is that not a solution? > > Well, maybe I miss the point of what man pages wanted to say with: > > "[...] > WARNING > When an SSL_write() operation has to be repeated because of > SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE, it must be repeated with > the same arguments. > [...]" > > It's confusing for me. I know it doesn't make sense that if we > SSL_write() to a client that doesn't read, repeating SSL_write() with > same arguments will yield want_read and want_write all the time. What > exactly that means then?
Everyone always wants to overthink this - think of this: You have, if you are using SSL/TLS, the following layers: You Application (perhaps HTTP, perhaps some other protocol, but which probably has some sort of protocol involved) SSL (which has it's own protocol, completely unrelated to your application, and transparent to it) TCP/IP (read() and write()... may block, may have other problems, but don't worry about it, because the SSL layer always "does the right thing". Consequently, once you switch to SSL, just call SSL_read() and SSL_write(), and do what they tell you to do. Don't worry about weird "client stops accepting writes" or other cases ... the SSL layer will deal with it... as well as incidental things like renegotiations, credential passing, session setup and teardown... which are, by far, the most likely reason to get SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE... the SSL layer needs another pass through select() / poll() with the appropriate call being made to completely something happening in *its* protocol layer. Just call SSL_connect() (or SSL_accept()), and then SSL_read()/SSL_write() (with SSL_get_error after each call, which should be obeyed if either returns <0), and then SSL_shutdown()).... And, of course, correctly implement your state machine above this... Don't worry about anything else.. if you do, you'll have a very flaky application, that will hang in weird locations and for strange reasons. Have fun. Patrick. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
