[
https://issues.apache.org/jira/browse/TS-3667?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14634606#comment-14634606
]
Oknet Xu edited comment on TS-3667 at 7/21/15 6:44 AM:
-------------------------------------------------------
I have a plugin that hook on SNI_HOOK/CERT_HOOK that lookup a cert from mysql
database by SNI.
the ssl handshake panding on CERT_REQUEST status and will not be reenabled by
SSLAccept() because the {{this->read_raw_data()==-EAGAIN}} and {{return
SSL_HANDSHAKE_WANT_READ}}.
the {{this->read_raw_data()==0}} meaning the client side close the connection
(EOF), we can drop off the ssl session before SSLAccept().
the {{this->read_raw_data()<0}} meaning some other error, I think SSLAccept()
will find other error cases and return proper error value.
the new patch at below if only handle the EOF, other error cases not included.
{code}
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index e06f749..6fbd681 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -1074,17 +1074,10 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err)
// Read from socket to fill in the BIO buffer with the
// raw handshake data before calling the ssl accept calls.
int retval = this->read_raw_data();
- if (retval < 0) {
- if (retval == -EAGAIN) {
- // No data at the moment, hang tight
- SSLDebugVC(this, "SSL handshake: EAGAIN");
- return SSL_HANDSHAKE_WANT_READ;
- } else {
- // An error, make us go away
- SSLDebugVC(this, "SSL handshake error: read_retval=%d", retval);
- return EVENT_ERROR;
- }
- } else if (retval == 0) {
+
+ // TS-3667: handle EOS after SSLAccept()
+ // This is working with CERT_HOOK
+ if (retval == 0) {
// EOF, go away, we stopped in the handshake
SSLDebugVC(this, "SSL handshake error: EOF");
return EVENT_ERROR;
{code}
was (Author: oknet):
I have a plugin that hook on SNI_HOOK/CERT_HOOK that lookup a cert from mysql
database by SNI.
the ssl handshake panding on CERT_REQUEST status and will not be reenabled by
SSLAccept() because the {{this->read_raw_data()==-EAGAIN}} and {{return
SSL_HANDSHAKE_WANT_READ}}.
the {{this->read_raw_data()==0}} meaning the client side close the connection
(EOF), we can drop off the ssl session before SSLAccept().
the {{this->read_raw_data()<0}} meaning some other error, I think SSLAccept()
will find other error cases and return proper error value.
the new patch at below if only handle the EOF, other error cases not included.
{code}
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index e06f749..89e3f4e 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -1073,18 +1073,11 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err)
if (BIO_eof(SSL_get_rbio(this->ssl))) { // No more data in the buffer
// Read from socket to fill in the BIO buffer with the
// raw handshake data before calling the ssl accept calls.
- int retval = this->read_raw_data();
- if (retval < 0) {
- if (retval == -EAGAIN) {
- // No data at the moment, hang tight
- SSLDebugVC(this, "SSL handshake: EAGAIN");
- return SSL_HANDSHAKE_WANT_READ;
- } else {
- // An error, make us go away
- SSLDebugVC(this, "SSL handshake error: read_retval=%d", retval);
- return EVENT_ERROR;
- }
- } else if (retval == 0) {
+ retval = this->read_raw_data();
+
+ // TS-3667: handle EOS after SSLAccept()
+ // This is working with CERT_HOOK
+ if (retval == 0) {
// EOF, go away, we stopped in the handshake
SSLDebugVC(this, "SSL handshake error: EOF");
return EVENT_ERROR;
{code}
> SSL Handhake read does not correctly handle EOF and error cases
> ---------------------------------------------------------------
>
> Key: TS-3667
> URL: https://issues.apache.org/jira/browse/TS-3667
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
> Affects Versions: 5.2.0, 5.3.0
> Reporter: Susan Hinrichs
> Assignee: Susan Hinrichs
> Fix For: 5.3.1, 6.0.0
>
> Attachments: ts-3667.diff
>
>
> Reported by [~esproul] and postwait.
> The return value of SSLNetVConnection::read_raw_data() is being ignored. So
> EOF and errors are not terminated, but rather spin until the inactivity
> timeout is reached. EAGAIN is not being descheduled until more data is
> available.
> This results in higher CPU utilization and hitting the SSL_error() function
> much more than it needs to be hit.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
