On Tue, Oct 6, 2015 at 8:41 PM, Plüm, Rüdiger, Vodafone Group <ruediger.pl...@vodafone.com> wrote: > > > I am confused now. I understood that the state machine for the server case is > fine. Hence that it flushes automatically where needed. So we only should and > need to take care of the client case. > How does using !SSL_is_init_finished(ssl) simplifies the logic?
Sorry for the confusion. What I meant is that it simplifies the logic in mod_ssl to use SSL_is_init_finished() unconditionally, since it (obviously) addresses all the cases: buggy openssl versions, client and server. It is required for the former case anyway, and is identical to SSL_in_connect_init() for the client case. For the server case, openssl will use its own buffering mechanism during the handshake "so that the output is sent in a way that TCP likes", according to the comment in the code, so we shouldn't be flushing small chunks. Yet for the server case still, openssl will issue its own flush appropriately, so we may introduce a spurious flush by doing this (something I didn't think about). Thus I agree that Joe's proposal is better: SSL_in_connect_init() but for the buggy case (openssl < 0.9.8m) where we need the generic SSL_is_init_finished(). Will commit this, thanks for the feedbacks. Regards, Yann.