Hi,
I want to add an observation that I have just made.
Previously I used to create a new SSL structure for every connection
and things worked fine.
Then I changed it so that I have a pool of SSL structures (to avoid
fragmentation)
and I reuse them by calling
SSL_clear(ssl);
SSL_set_accept_state(ssl);
SSL_set_fd(ssl,client);
This is when my negotiation with the broswers seem to fail and I get
'error in read client
hello B'. (Another question: What do 'A' and 'B' reperesnt?)
In the light of this observation, the read\write code seems to be
correct.
Does anyone know what I might be doing wrong when I reuse the SSL
structures ?
(I still use 0.9.4.)
Thanks,
Amit.
Amit Chopra wrote:
>
> Hi All,
> I am facing a problem accepting SSL connections. I have a simple
> multi-threaded SSL web server. For test purposes I have also written
> a simple SSL client.
> When I open an instance of IE (5.0) or Navigator(4.7),the browser
> opens multiple connections with my server (one for each URI) and the
> SSL transaction completes successfully. I can also browse other links
> over SSL. But when I close the browser and open another instance of
> it, the server gets caught in an infinite loop. It keeps getting
> SSL_WANT_READ and on reading keeps returning 0 bytes read. The SSL
> state dump shows 'SSL_accept: SSLv3 error in read client hello B'. For
> connections that get negotiated successfully I see SSL_accept: SSLv3
> read client hello A' and other then other correct handshake messages
> follow.
> But for the problem I cited it keeps saying 'SSL_WANT_READ' and
> 'SSL_accept: SSLv3 error in read client hello B' continuously in an
> infinite loop.
> My own test client is capable of spawning multiple threads,
> each of which issues the same set of 'GET' requests and terminates the
> connection. It seems to work fine. Only the browsers are giving me a
> problem. And also my client works fine with sessionID caching ON or
> OFF.
>
> I am unable to understand the reason for this anomaly.
>
> I am attaching some code below that does SSL_read. Kindly note that I
> do an implicit SSL_accept.
> I call DoSSLRead in response to a read event on the client socket. The
> function that calls DoSSLRead
> reads n number of bytes from the client and writes them to the web
> server module.
>
> // This function is called only when there is data to be received on
> the socket.
> // DoSSLRead reads data upto a max size of iSize and then returns.
> // Returns -1 if failure.
> //iSize is the size of data buffer (2K)
> int DoSSLRead(SSL *pSSL, char * pData, int iSize, BOOL & bMoreData)
> {
> int nBytesRead = 0; //number of bytes read
> int iRet1, iRet2, iRet3;
> bMoreData = FALSE; //Is there more data to be read ??
> while (nBytesRead < iSize)
> {
> iRet1 = SSL_read(pSSL, (pData + nBytesRead), (iSize - nBytesRead)) ;
> if (iRet1 > 0)
> {
> nBytesRead += iRet1;
> }
> iRet2 = SSL_get_error(pSSL,iRet1);
> switch (iRet2)
> {
> case SSL_ERROR_NONE:
> iRet3 = SSL_pending(pSSL);
> if (iRet3)
> {
> if (nBytesRead == iSize)
> {
> // There is more data pending but
> // we have filled up the buffer completely.
> // Indicate to the caller that more
> // data is available and return.
> bMoreData = TRUE;
> return nBytesRead;
> }
> else
> {
> // There is more data pending and
> // we still have not filled the buffer
> // completely so call SSL_read again.
> continue;
> }
> }
> else
> {
> // There is no more data pending.
> // Return the no. of bytes read.
> return nBytesRead;
> }
> break;
>
> case SSL_ERROR_WANT_READ:
> // The data is available but SSL wants us to
> // call SSL_read again. We should call SSL_read
> // but only if we still haven't filled up
> // the buffer.
> if (SSL_in_init(pSSL))
> {
> if (nBytesRead < iSize)
> {
> continue;
> }
> else
> {
> bMoreData = TRUE;
> return nBytesRead;
> }
> }
> else
> {
> return nBytesRead;
> }
> break;
> case SSL_ERROR_WANT_WRITE:
> break;
> case SSL_ERROR_WANT_X509_LOOKUP:
> break;
> case SSL_ERROR_SYSCALL:
> return -1; //terminate the connection
> case SSL_ERROR_SSL:
> return -1; //terminate the connection
> case SSL_ERROR_ZERO_RETURN:
> return -1; //terminate the connection
> default:
> DEBUGMSG("(DoSSLRead): UnHandled iRet2 = %d!!!\n", iRet2);
> return -1; // for now terminate the connection
> }//end of switch
> }//end of while
> return nBytesRead;
> } //end of DoSSLRead
>
> I would appreciate very much any help I can get.
>
> Thanks,
> Amit.
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
