> From: owner-openssl-us...@openssl.org On Behalf Of Nathan Smyth > Sent: Monday, 19 December, 2011 13:48
> I was wondering if has any examples (either pasted or links) on > using file descriptors (i.e. standard socket type operations) with OpenSSL. > I tried some basic code, but the things I'm doing don't seem to work > (e.g. I don't know how to build up a new SSL object given an existing fd > on a SSL conn): <snip code> > but if I try to 'rebuild' a connection from the fd, e.g. something like this: > int sockfd = SSL_get_fd(ssl); > SSL *ssl2 = SSL_new(ctx); > > SSL_set_fd(ssl2,sockfd); > SSL_write(ssl2, "this doesn't\n", 14); > it doesn't [work] > If anyone has any ideas they're most appreciated. You can't have two SSL connections concurrently on the same socket (or rather the same TCP connection of which a socket is one endpoint). SSL is a protocol and send and receive operations need to be handled according to that protocol, which for OpenSSL means using a single SSL* object -- and without contention (i.e. a single thread, at least for the duration of an operation). > Also the reason for this code is that I'm trying to work out how to > use fds with OpenSSL. Essentially I've inherited an app that uses sockets > for both inter-process communication (local comms) and network comms. > I've been tasked with putting TLS on the network connections. But lots of > the code involves (extended) select()s or poll()s on the socket fds, so > it would be great and far less of a rewrite if I could also interact > with OpenSSL connections using the socket fds and then 'building up' > the objects around them. You probably want nonblocking mode, aka NBIO (nonblocking I/O) in OpenSSL. If the socket is nonblocking, OpenSSL protocol routines (SSL_connect SSL_accept SSL_read SSL_write SSL_shutdown) which need to do a send or (more often) recv that would block instead return and SSL_get_error indicates ...WANT_READ or WANT_WRITE; this means that your code can do other things (or wait) until the OS indicates the socket is readable or writable respectively, typically (but not necessarily) with select or similar, and then try the SSL call again. This is similar to the way I/O on nonblocking sockets (and devices and pipes on Unix) returns with errno==EWOULDBLOCK, just a little more complicated. man SSL_accept man SSL_read man SSL_get_error etc. You can definitely do nbio on a socket you connect explicitly with (TCP-level) accept or connect (and wrap in BIO_socket), and I believe you can also do it on a BIO_accept or BIO_connect but I haven't. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
