> From: owner-openssl-us...@openssl.org On Behalf Of Nathan Smyth > Sent: Wednesday, 11 April, 2012 09:08
> > If this server is getting connections from the client above, > > and that client mistakenly handles WANT_READ by closing or > > even exiting/aborting, the server gets either TCP abort or > > unexpected TCP shutdown (aka EOF), which causes this error. > > Errno didn't return much. But this sounds reasonable. Playing > with the blocking settings on the fd seems to help. > Assume that it could be similar for the SSL_ACCEPT? (though > WANT_WRITE, perhaps?) > Both client calls including SSL_connect and server calls including SSL_accept can use nonblocking socket, and all behave the same way. All can return either WANT_READ or WANT_WRITE. Do NOT assume that SSL_write only does socket writes or SSL_read only does socket reads; if you use nonblocking you must be prepared to handle whatever SSL_get_error tells you is 'wanted'. See the man page and/or http://www.openssl.org/support/faq.html#PROG10 . If you don't want to code this way, use blocking socket. That's much simpler, but it does block your thread; if you need or want concurrency you must then manage it at the thread or process level, not a 'work-item' level. > > Interestingly, in a situation where two apps open a number of > SSL connections between each other (over time) I get a > deadlock - where a client blocks on the SSL_Connect, and the > server on the general (socketIO) accept. Any hints? > Not really. If you're doing the socket creation yourself and SSL_set_fd, as you said, then the socket connect should match the socket accept, before either one gets into OpenSSL at all. Look at netstat (or equivalent); look at a wire trace (like wireshark) if these are (or can be) on different machines. > > You can actually use socket-BIO, and/or accept-BIO and > > connect-BIO, to do plain TCP connections directly, > > To clarify, that's what I'm dong now, right? Not as I understood your description. You indicated you use plain OS sockets for TCP and OpenSSL with SSL_set_fd (which creates a socket-BIO) for SSL. I said an alternative is you use socket BIO(s) for TCP, and also socket BIO(s) for SSL. It's almost the same for SSL, but not the same for TCP. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
