> Er, but what if you get a SSL_ERROR_WANT_READ while trying to SSL_write?
This means "I cannot perform your write now, because some data I need to proceed has not arrived over the socket". > Surely, this likely happens because the network/SSL BIO pair > hasn't handled the peer to peer SSL session negation yet, and one > would have to read or write from the network side of the BIO pair. Exactly. > This is what's confusing to many, I think: the operation on one > of the four ports of the SSL engine can't progress unless there > is an appropriate operation on ANOTHER (related) port. Exactly. > And yet, you say don't make a different SSL call. Or, did you > mean on the same SSL session? Right. You should make a call based on what you want to *do*. What you want to do has not changed. You make calls to the OpenSSL library based on what you want to do. The OpenSSL library will do whatever is needed to make what you want to do happen. You should call SSL_read if, and only if, you want to read decrypted data from the SSL connection. > I wrap the SSL engine with SSL BIOs on the decrypted side and a > BIO pair on the encrypted side (so all my interactions with the > SSL state machine are via BIOs) and I very much need to do a > BIO_read on one side of BIO_write on the other side fails, with > SSL_ERROR_WANT_WRITE. You have four ports that you should not think of as related. They are only temporarily related with a function returns a WANT_READ/WANT_WRITE indication. And, again, that relationship is only valid so long as no port makes any forward progress. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
