Just a bit of clarification on my question... I am fully aware that if the OpenSSL library tells me it NEEDS_READ or NEES_WRITE in response to an SSL_read I should then issue that same SSL_read command again with the same parameters when the associated resource is ready for whichever operation OpenSSL requested before issuing another SSL_read and likewise with SSL_write (unless options are set to allow partial writes and/or moving buffers). My question is specifically about whether a NEED_X response from SSL_read means that I cannot call SSL_write until SSL_read succeeds and likewise with SSL_write. ________________________________________ From: owner-openssl-...@openssl.org [owner-openssl-...@openssl.org] on behalf of Barbe, Charles [charles.ba...@allworx.com] Sent: Thursday, June 05, 2014 12:03 PM To: openssl-dev@openssl.org Subject: Conflicting information regarding non-blocking sockets
Hello, I have implemented an SSL server on the ecos platform and it seems to be working well however I am a tiny bit unclear about the requirements around whether or not calls to SSL_read and SSL_write need to be syncrhonized and I want to avoid doing something incorrect. The specific question I have is this: If I call SSL_read() and openSSL tells me that it NEEDS_WRITE or NEEDS_READ, do I need to then hold off calls to SSL_write until I have called SSL_read again and it is succeeds? And then same question but with SSL_write. I am asking because I have seen conflicting information. Here is where I'm getting the conflicting information: >From the "calls must be synchronized" camp: In chapter 5, pages 159-166 of "Network Security with OpenSSL" by John Viega, Matt Messier & Pravir Chandra, 2002 they state very clearly that "once we've made a call to an SSL I/O function, and it requires a retry, we should not call other I/O functions until the original call has succeeded." It even gives a code example that achieves this synchronization. >From the "calls to SSL_read and SSL_write can be treated independently" camp: In this thread from the openssl-dev mailing list: http://marc.info/?l=openssl-dev&m=124308191325560&w=2 A gentleman named David Schwartz states, "I'm not sure where you see that, but that is obviously bogus. Suppose we have a protocol that permits either side to read or write at any time. We call SSL_read in case the other side sent something, it returns WANT_READ, because the other side didn't send anything. Are you seriously arguing that we now can't send anything until the other side does? Isn't that obviously an impossible requirement?" In response to this statement by somebody else "Because the documentation appears in several places to state that when I receive WANT_X from _any_ OpenSSL API operation in non-blocking mode, the next API operation I issue on that SSL * must be the exact same API operation, with the same parameters." Can somebody please tell me which of these two sources are correct or if I am mis-reading them? Thanks! CHAD ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
