Re: [openssl-users] SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE
On 10/03/2015 20:10, Serj Rakitov wrote: Hi, Jakob. Thanks for reply. Now I have seen OpenSSL code and something clear for me. WANT_READ/WANT_WRITE it's just an implementation for WOULDBLOCK: not fatal error for non-blocking IO. So, for example for socket and Windows it's just WSAEWOULDBLOCK returns by WSAGetLastError. Peforms by BIO_sock_should_retry/BIO_sock_non_fatal_error in sock_read/sock_write. There was some incomprehension for me because I forgot that SSL_read/SSL_write can perform a handshake if it didn't happen before. This is the key, because if handshake took place when SSL_write never will want read(to my mind), because it's just perform writesocket(send) operation. But with Rehandshaking (renegotiation) still incomprehension... I don't know why there is a silence about this here and in the net! I have read Eric Rescorla's old(January 10, 2002) article and there he told about Rehandshaking on the Server and on the Client, so it's possible with OpenSSL, but maybe in newer versions of OpenSSL it is not possible? Jakob, can you tell me: is it possible to renegotiate a connection in OpenSSL? And if yes how to do it right? There is lots of mention of renegotiation (what you call rehandshaking) in the OpenSSL documents and discussions, so I am reasonably sure it can be done. It also seems there are secure and insecure ways to do it. I don't know the details though. This implies that the general rules about applications using non-blocking sockets having to always handle the possibility of WANT_READ/WANT_WRITE at any time might be invoked by renegotiation scenarios at any time. Because the rules say at any time, there is no specific discussion of applying those rules at specific times (such as during renegotiation). 10.03.2015, 19:06, Jakob Bohm jb-open...@wisemo.com: Not having tested or read the relevant OpenSSL code, I presume that SSL_write could want a read if it has sent a handshake message, but not yet received the reply, thus it cannot (encrypt and) send user data until it has received and acted on the handshake reply message. Maybe the easier scenarios are at the start of a session, where the initial handshake has not yet completed, as happens in a HTTPS client (always writes a request before the first read) or a simple SMTPS server (always writes a banner line before the first read of client commands, except in some servers that do an early read to check if a broken/spammer client is trying to send before receiving the banner). ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE
Nobody knows? 09.03.2015, 15:30, Serj Rakitov ra...@yandex.com: I have to open discussion again. I want to test situations when SSL_read WANT_WRITE and SSL_write WANT_READ. But I can't do this. SSL_read never wants write and SSL_write never wants read! I don't know how to catch these situations. I don't know how to rehandshake. I tried after connect and handshake to send data simultaneously both to server and to client and never got one of those situations, SSL_read only wanted to read and SSL_write only wanted to write, all data was received by both client and server. I don't even understand how SSL_write can want to read? In what cases? I can understand when SSL_read wants to write, for example when client got HelloRequest or server got a new ClientHello while reading data. But I can't test it, because I don't know how to start handshake again, how to perform a rehandshake(renegotiation). Can anybody help me? How to test these situations or how to perform a rehandshake? Best Regards, Serj Rakitov ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE
On 09/03/2015 13:21, Serj Rakitov wrote: I have to open discussion again. I want to test situations when SSL_read WANT_WRITE and SSL_write WANT_READ. But I can't do this. SSL_read never wants write and SSL_write never wants read! I don't know how to catch these situations. I don't know how to rehandshake. I tried after connect and handshake to send data simultaneously both to server and to client and never got one of those situations, SSL_read only wanted to read and SSL_write only wanted to write, all data was received by both client and server. I don't even understand how SSL_write can want to read? In what cases? I can understand when SSL_read wants to write, for example when client got HelloRequest or server got a new ClientHello while reading data. But I can't test it, because I don't know how to start handshake again, how to perform a rehandshake(renegotiation). Can anybody help me? How to test these situations or how to perform a rehandshake? Not having tested or read the relevant OpenSSL code, I presume that SSL_write could want a read if it has sent a handshake message, but not yet received the reply, thus it cannot (encrypt and) send user data until it has received and acted on the handshake reply message. Maybe the easier scenarios are at the start of a session, where the initial handshake has not yet completed, as happens in a HTTPS client (always writes a request before the first read) or a simple SMTPS server (always writes a banner line before the first read of client commands, except in some servers that do an early read to check if a broken/spammer client is trying to send before receiving the banner). -- Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE
Hi, Jakob. Thanks for reply. Now I have seen OpenSSL code and something clear for me. WANT_READ/WANT_WRITE it's just an implementation for WOULDBLOCK: not fatal error for non-blocking IO. So, for example for socket and Windows it's just WSAEWOULDBLOCK returns by WSAGetLastError. Peforms by BIO_sock_should_retry/BIO_sock_non_fatal_error in sock_read/sock_write. There was some incomprehension for me because I forgot that SSL_read/SSL_write can perform a handshake if it didn't happen before. This is the key, because if handshake took place when SSL_write never will want read(to my mind), because it's just perform writesocket(send) operation. But with Rehandshaking (renegotiation) still incomprehension... I don't know why there is a silence about this here and in the net! I have read Eric Rescorla's old(January 10, 2002) article and there he told about Rehandshaking on the Server and on the Client, so it's possible with OpenSSL, but maybe in newer versions of OpenSSL it is not possible? Jakob, can you tell me: is it possible to renegotiate a connection in OpenSSL? And if yes how to do it right? 10.03.2015, 19:06, Jakob Bohm jb-open...@wisemo.com: Not having tested or read the relevant OpenSSL code, I presume that SSL_write could want a read if it has sent a handshake message, but not yet received the reply, thus it cannot (encrypt and) send user data until it has received and acted on the handshake reply message. Maybe the easier scenarios are at the start of a session, where the initial handshake has not yet completed, as happens in a HTTPS client (always writes a request before the first read) or a simple SMTPS server (always writes a banner line before the first read of client commands, except in some servers that do an early read to check if a broken/spammer client is trying to send before receiving the banner). ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE
I have to open discussion again. I want to test situations when SSL_read WANT_WRITE and SSL_write WANT_READ. But I can't do this. SSL_read never wants write and SSL_write never wants read! I don't know how to catch these situations. I don't know how to rehandshake. I tried after connect and handshake to send data simultaneously both to server and to client and never got one of those situations, SSL_read only wanted to read and SSL_write only wanted to write, all data was received by both client and server. I don't even understand how SSL_write can want to read? In what cases? I can understand when SSL_read wants to write, for example when client got HelloRequest or server got a new ClientHello while reading data. But I can't test it, because I don't know how to start handshake again, how to perform a rehandshake(renegotiation). Can anybody help me? How to test these situations or how to perform a rehandshake? Best Regards, Serj Rakitov ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE
Thanks, Graham. Sorry for too late answer )) Now i am testing... 21.02.2015, 14:42, Graham Leggett minf...@sharp.fm: On 21 Feb 2015, at 12:58 PM, Serj Rakitov ra...@yandex.com wrote: I set socket to non-blocking mode. 1. If I do SSL_read() and get result =0 and then SSL_get_error() returns SSL_ERROR_WANT_WRITE what must I to do? Is it enough to call SSL_write(ssl,0,0) one time and then again call SSL_read() untill it successed. Is this right? 2. If I do SSL_write() and get result =0 and then SSL_get_error() returns SSL_ERROR_WANT_READ what must I to do? If I must read some data can it be application data or no? So, if I call SSL_read(ssl,buf,buf_size) must I waiting in buf some application data or never? And after I did SSL_read(ssl,buf,buf_size) then I must again call SSL_write() untill it returns with success? 3. Can be this situation: SSL_write() returns =0 and then SSL_get_error() returns SSL_ERROR_WANT_WRITE? What to do in this case for non-blocking socket? In both cases you return back to your poll and ask the OS to wait for the event that openssl asked for. If openssl asked for read, you poll until the socket is readable. If openssl asked for a write, you poll until the socket is writable. When you get the event you asked for, you just run whatever you were running again. For example, if you were running SSL_read, run SSL_read again. If you were running SSL_write, run SSL write again. So to write it out: - Call SSL_read(), it returns SSL_ERROR_WANT_WRITE - Poll for the socket being writable. - It’s writable! call SSL_read() again. it might return SSL_ERROR_WANT_READ - Poll for the socket being readable. - It’s readable! Call SSL_read() again, and so on. If openssl wants read, poll for read. If openssl wants write, poll for write. Don’t arbitrarily swap round SSL_read and SSL_write, those two calls are what *you* want to do, not what openssl wants to do. Regards, Graham -- Best Regards, Serj Rakitov ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE
On 21 Feb 2015, at 12:58 PM, Serj Rakitov ra...@yandex.com wrote: I set socket to non-blocking mode. 1. If I do SSL_read() and get result =0 and then SSL_get_error() returns SSL_ERROR_WANT_WRITE what must I to do? Is it enough to call SSL_write(ssl,0,0) one time and then again call SSL_read() untill it successed. Is this right? 2. If I do SSL_write() and get result =0 and then SSL_get_error() returns SSL_ERROR_WANT_READ what must I to do? If I must read some data can it be application data or no? So, if I call SSL_read(ssl,buf,buf_size) must I waiting in buf some application data or never? And after I did SSL_read(ssl,buf,buf_size) then I must again call SSL_write() untill it returns with success? 3. Can be this situation: SSL_write() returns =0 and then SSL_get_error() returns SSL_ERROR_WANT_WRITE? What to do in this case for non-blocking socket? In both cases you return back to your poll and ask the OS to wait for the event that openssl asked for. If openssl asked for read, you poll until the socket is readable. If openssl asked for a write, you poll until the socket is writable. When you get the event you asked for, you just run whatever you were running again. For example, if you were running SSL_read, run SSL_read again. If you were running SSL_write, run SSL write again. So to write it out: - Call SSL_read(), it returns SSL_ERROR_WANT_WRITE - Poll for the socket being writable. - It’s writable! call SSL_read() again. it might return SSL_ERROR_WANT_READ - Poll for the socket being readable. - It’s readable! Call SSL_read() again, and so on. If openssl wants read, poll for read. If openssl wants write, poll for write. Don’t arbitrarily swap round SSL_read and SSL_write, those two calls are what *you* want to do, not what openssl wants to do. Regards, Graham — ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE
Hello. I set socket to non-blocking mode. 1. If I do SSL_read() and get result =0 and then SSL_get_error() returns SSL_ERROR_WANT_WRITE what must I to do? Is it enough to call SSL_write(ssl,0,0) one time and then again call SSL_read() untill it successed. Is this right? 2. If I do SSL_write() and get result =0 and then SSL_get_error() returns SSL_ERROR_WANT_READ what must I to do? If I must read some data can it be application data or no? So, if I call SSL_read(ssl,buf,buf_size) must I waiting in buf some application data or never? And after I did SSL_read(ssl,buf,buf_size) then I must again call SSL_write() untill it returns with success? 3. Can be this situation: SSL_write() returns =0 and then SSL_get_error() returns SSL_ERROR_WANT_WRITE? What to do in this case for non-blocking socket? -- Best Regards, Serj Rakitov ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users