If SSL_read returns SSL_ERROR_WANT_READ, it is perfectly reasonable to go ahead and call SSL_write or the other way around. Otherwise, it would be impossible to do full-duplex SSL communication with OpenSSL. I recently ran into a host of similar questions (and issues) and I got most of my questions clarified from David Schwartz's old posts (especially, this thread: http://marc.info/?l=openssl-dev&m=124297302310346&w=2) and the one I posted in SO recently (http://stackoverflow.com/questions/18728355/ssl-renegotiation-with-full-duplex-socket-communication).
Things become a little tricky when renegotiations are in progress, but the above post talks about it. - Karthik. On Thu, Sep 19, 2013 at 12:24 PM, James Marshall <ja...@jmarshall.com> wrote: > My understanding is that yes, on that given socket, you have to do only what > it needs according to the error code. In this case, SSL_ERROR_WANT_WRITE > indicates you should select on write and try SSL_write() again before doing > an SSL_read() on that socket. Of course, you can read and write on other > sockets in the meantime. > > For an implementation, an SSL_ERROR_WANT_WRITE means add the socket to the > list of sockets to select() for writing and delete from the list for > reading, and SSL_ERROR_WANT_READ means add the socket for reading and delete > it for writing. But note that SSL_ERROR_WANT_WRITE doesn't imply > SSL_write() comes next, and SSL_ERROR_WANT_READ doesn't imply SSL_read() > comes next, because the interrupting handshake is two-way. Also note that > SSL_accept() and SSL_shutdown() require similar handling. > > For non-blocking IO, here's a simple set of tables consolidated from the > docs that is useful for a possible general switch structure: > http://jmarshall.com/wiki/bin/view/Main/NonBlockingIOinOpenSSL . I'm > pretty sure it's correct, but I'm not an expert. It could definitely be > improved-- as I recall my structure was to select(), then for each socket > switch on its error code, then do the appropriate next operation (which for > SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE is just a repeat of its previous > operation). > > Good luck, > James > > > > On Thu, Sep 19, 2013 at 2:02 AM, Krzysztof Kwiatkowski <krzys...@leeds.pl> > wrote: >> >> Hi, >> >> I'm a bit confused about usage of SSL_write()/SSL_read() in non-blocking >> connectors. Let say I do SSL_write() and I get SSL_ERROR_WANT_WRITE. It >> means I have to do SSL_write() again. But does it mean that I can't do >> SSL_read() until SSL_write() returns with success? >> >> Any idea? >> >> Kris >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
