RE: Need help for select and a SSL_read problem
Thanks Darryl for your help. I wrote that when I send a new packet from the client I can read the missing packets, but not the new one But in fact I can read the missing packets and a part of the second packets. Here is the trace. I send a trame of 10 bytes from the client, and the server read 5 bytes. Your problem is basically that you are waiting for network I/O when the network I/O you are waiting for has already occured. Do not assume that there will be no *decrypted* data unless you *know* there is no decrypted data. That 'select' tells you there is no *encrypted* data (for SSL to receive from the socket and decrypted) does not mean there is no *decrypted* data (that has already been received and decrypted). You should, ideally, rely on no assumptions about how moving encrypted data will affect the motion of decrypted data. In other words, you should *never* assume that OpenSSL will not be able to give you more decrypted data from the other side until it reads more encrypted data from the other side unless OpenSSL specifically tells you that this is the case (through a WANT_READ indication). This is what you are doing by waiting for 'select' to tell you there is more *encrypted* data for SSL to read. It is wrong unless the last thing OpenSSL told you was that SSL_read returned WANT_READ. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Need help for select and a SSL_read problem
Hi all I am doing a simple ssl server/client. I use a select function to read and write in the socket. From my client I send 1KB of data, in one time, and then I expect to read it in the server. In the server appli, I have got a select read hit, and I read 500B. Then I expect to have a second select read hit to finish the read. But it never happened, and the program is blocked in the select. If I send a new packet from the client I can read the missing packets, but not the new one. I use non-blocking sockets. Can you help me. Thanks Arun This message was sent using IMP, the Internet Messaging Program. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Need help for select and a SSL_read problem
--- GUIRY Aroun [EMAIL PROTECTED] wrote: Hi all I am doing a simple ssl server/client. I use a select function to read and write in the socket. From my client I send 1KB of data, in one time, and then I expect to read it in the server. In the server appli, I have got a select read hit, and I read 500B. Then I expect to have a second select read hit to finish the read. But it never happened, and the program is blocked in the select. If I send a new packet from the client I can read the missing packets, but not the new one. I use non-blocking sockets. The read condition signaled by select() call should be cleared before you call it again. Also TCP doesnt have any message boundaries. So I think you cannot hope to get two notifications for one receive. The reason you get it when you send another packet is the notification you get for the another packet, not for the previous remnant. Obviously when reading you have to read the remant first. In other words it is not possible to do what you plan to achieve. In fact it is not even guaranteed in TCP that you will get all the packet in one read itself. regards, Girish Can you help me. Thanks Arun This message was sent using IMP, the Internet Messaging Program. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Need help for select and a SSL_read problem
GUIRY Aroun wrote: If I send a new packet from the client I can read the missing packets, but not the new one. I use non-blocking sockets. Are you on linux ? Can you run 'strace' or 'strace -p pid' and paste the relevant parts of the output to the list. Darryl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Need help for select and a SSL_read problem
Hello, I am doing a simple ssl server/client. I use a select function to read and write in the socket. From my client I send 1KB of data, in one time, and then I expect to read it in the server. In the server appli, I have got a select read hit, and I read 500B. Then I expect to have a second select read hit to finish the read. But it never happened, and the program is blocked in the select. You should be aware that SSL layer buffers data. If for example you send 1K from client, data is encapsulated in SSL stuff and send to server (if you send for example ~32kb client may send two SSL records because max data size is ~16kb). When client receives this record 1kb data will be but in buffer, and if you will read 500b from SSL layer, second 500b will stay in buffer and waiting in select() will not gave this data. There is function SSL_pending() for checking data in SSL buffer and if this function give you hit that there are data in SSL buffers you should just call SSL_read(). Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Need help for select and a SSL_read problem
Thanks Darryl for your help. I wrote that when I send a new packet from the client I can read the missing packets, but not the new one But in fact I can read the missing packets and a part of the second packets. Here is the trace. I send a trame of 10 bytes from the client, and the server read 5 bytes. write(1, Connection realized\r\n, 21) = 21 select(5, [4], NULL, NULL, NULL - I send a trame of 10 bytes - read(4, \27\3\0\0 , 5)= 5 read(4, \260\347\362\263\264Q\267\2\17\303\1\222\37A\367~d\203..., 32) = 32 read(4, \27\3\0\0 , 5)= 5 read(4, \177\376[\'\35\325[\242P\275F\313+b\233\261w\341Iu\336..., 32) = 32 select(5, [4], NULL, NULL, NULL - I send a trame of 10 bytes - select(5, [4], NULL, NULL, NULL)= 1 (in [4]) read(4, \27\3\0\0 , 5)= 5 read(4, \357YO\305\4NU\316\264\270\213S\347\306\346\222_\351a\t..., 32) = 32 read(4, \27\3\0\0 , 5)= 5 read(4, q\361\322\'*\2764\223\302g\375\260\0\211\376\265\266F..., 32) = 32 select(5, [4], NULL, NULL, NULL Thanks GUIRY Aroun wrote: If I send a new packet from the client I can read the missing packets, but not the new one. I use non-blocking sockets. Are you on linux ? Can you run 'strace' or 'strace -p pid' and paste the relevant parts of the output to the list. Darryl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] This message was sent using IMP, the Internet Messaging Program. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Need help for select and a SSL_read problem
GUIRY Aroun wrote: Thanks Darryl for your help. I wrote that when I send a new packet from the client I can read the missing packets, but not the new one But in fact I can read the missing packets and a part of the second packets. Here is the trace. I send a trame of 10 bytes from the client, and the server read 5 bytes. write(1, Connection realized\r\n, 21) = 21 select(5, [4], NULL, NULL, NULL - I send a trame of 10 bytes - read(4, \27\3\0\0 , 5)= 5 read(4, \260\347\362\263\264Q\267\2\17\303\1\222\37A\367~d\203..., 32) = 32 read(4, \27\3\0\0 , 5)= 5 read(4, \177\376[\'\35\325[\242P\275F\313+b\233\261w\341Iu\336..., 32) = 32 select(5, [4], NULL, NULL, NULL - I send a trame of 10 bytes - select(5, [4], NULL, NULL, NULL)= 1 (in [4]) read(4, \27\3\0\0 , 5)= 5 read(4, \357YO\305\4NU\316\264\270\213S\347\306\346\222_\351a\t..., 32) = 32 read(4, \27\3\0\0 , 5)= 5 read(4, q\361\322\'*\2764\223\302g\375\260\0\211\376\265\266F..., 32) = 32 select(5, [4], NULL, NULL, NULL This doesn't tell me much and does not relate to your original 1024/512 bytes query. But I understood your original problem to be that you issued a single SSL_write() at the client end for a 1024 application data payload. But you were not seeing enough data at the server end after you waited for select to return readability, called SSL_read(), did not get the full chunk of application data you commited in the SSL_write() at the client end. So you waited for select some more. And this is the point you have a problem because you keep waiting and it never return there is new data to process and therefore you never call SSL_read() again to see all the data you expected come through. The trace above looks correct for a 10 byte payload. The 5 bytes is SSL header and the 32 a packet of data. You may want to turn on SSL_set_readahead() but that should not be the cause of your problems it will just make the SSL library kernel syscall interaction a little more efficient. By highlighting SSL_pending() Marek as indicating that you may not have called SSL_read() enough time. Can I confirm after a select() readability hit you call SSL_read() as many times as you can, until it returns -1/WANT_READ. I would guess that the first call to SSL_read() maybe processing a control packet, probably the end part of the initial handshake. What error return are you getting to SSL_read() and has SSL_connect() returned 1 yet ? Darryl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Need help for select and a SSL_read problem
Hello, write(1, Connection realized\r\n, 21) = 21 select(5, [4], NULL, NULL, NULL - I send a trame of 10 bytes - read(4, \27\3\0\0 , 5)= 5 read(4, \260\347\362\263\264Q\267\2\17\303\1\222\37A\367~d\203..., 32) = 32 read(4, \27\3\0\0 , 5)= 5 read(4, \177\376[\'\35\325[\242P\275F\313+b\233\261w\341Iu\336..., 32) = 32 select(5, [4], NULL, NULL, NULL This two SSL records does not mean that first 5 bytes of data is sent in first record and 5 next bytes in second. OpenSSL sends before every SSL record with real data - empty SSL record. So first record may be so called empty fragment and second record has real 10 bytes of data. For example if negotiated cipher is AES-MD5 then empty record will have 32 bytes ( 0(data)+16(md5sum)+16(padding)) and second record with data will have 32 bytes of data too ( 10(data)+16(md5sum)+6(padding)) (of course using sha1 does not change the final size too). Empty records guards against some CBC attacks and this mechanism may be disabled by using SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS flag (not all implementation of SSL like empty fragments :-) Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL_read problem
Wolfgang Marczy@TOPCALL 11/27/2000 04:20 PM To: [EMAIL PROTECTED]@smtp cc: Subject:Re: SSL_read problem Hi everybody, I get the strange error140DF114:SSL routines:SSL_read:uninitialized , though I have initialized the connection as seen below. Has anybody encountered the same problem ??? Thanx, Wolfgang. [EMAIL PROTECTED] on 11/23/2000 05:42:12 PM To: Wolfgang Marczy/TC_VIE/TOPCALL@TOPCALL, [EMAIL PROTECTED] @ INETTIFF @ TCINTL cc: Subject:Re: SSL_read problem On Thu, Nov 23, 2000 at 03:38:33PM +0100, Wolfgang Marczy wrote: SSL_load_error_strings() SSL_library_init() RAND_seed(...) ssl_ctx_serv=SL_CTX_new(SSLv23_client_method()) ssl_con_serv=SSL_new(ssl_ctx_serv) err_flag=SSL_set_fd(ssl_con_serv,rec_socket) err_flag=SSL_accept(ssl_con_serv) ret=SSL_read(ssl_co_servn,line,LINELENGTH) Everything works fine except SSL_read. Any suggestions?? man SSL_get_error. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_read problem
On Mon, Nov 27, 2000 at 04:21:05PM +0100, Wolfgang Marczy wrote: Hi everybody, I get the strange error140DF114:SSL routines:SSL_read:uninitialized , though I have initialized the connection as seen below. The error message indicates that s-handshake_func is not set. This does not make much sense. On a closer look to your problem I however note the following: On Thu, Nov 23, 2000 at 03:38:33PM +0100, Wolfgang Marczy wrote: SSL_load_error_strings() SSL_library_init() RAND_seed(...) ssl_ctx_serv=SL_CTX_new(SSLv23_client_method()) This prepares an SSL-client!! ssl_con_serv=SSL_new(ssl_ctx_serv) err_flag=SSL_set_fd(ssl_con_serv,rec_socket) err_flag=SSL_accept(ssl_con_serv) This is the function for an SSL-server!! I am somewhat surprised that you did not see any error message on calling SSL_accept(), is err_flag really "1"=success on return? (It would be something to correct if SSL_accept() would silently fail and give back "1"=success). ret=SSL_read(ssl_co_servn,line,LINELENGTH) Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_read problem
Hi everybody, I am developing on an SSL enhancement for an SMTP Server and I want ot use the OpenSSL API to establish the SSL connection. So far I initialized the SSL connection, also the SSL_accept worked fine. But as I want to read from the socket I always get a -1 as return value. I am not sure, what the problem is, because when I use the standardrecvI get data from the socket. Here are my implementation steps, perhaps something is missing SSL_load_error_strings() SSL_library_init() RAND_seed(...) ssl_ctx_serv=SL_CTX_new(SSLv23_client_method()) ssl_con_serv=SSL_new(ssl_ctx_serv) err_flag=SSL_set_fd(ssl_con_serv,rec_socket) err_flag=SSL_accept(ssl_con_serv) ret=SSL_read(ssl_co_servn,line,LINELENGTH) Everything works fine except SSL_read. Any suggestions?? Thanx, Wolfgang Marczy. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: SSL_read problem
You need to determine what the SSL error is that you're receiving (use SSL_get_error). It may well be SSL_ERROR_WANT_READ saying that you need to call SSL_read again for it to get all the data you've requested (particularly if you're using non-blocking sockets). - Dale. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_read problem
Hi! I'm having a problem reading from socket when connection keep-alive is on. SSL_read returns -2. What could that -2 possible mean? I tried to look at the code but did'nt find the red thread. Thanks already if anyone knows! Yours VW __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_read problem
hi. when I run SSL_read on a socket (as the client), where the server is down, SSL_read returns with 0 - as there where no bytes to read from socket. This is not true - the server is down and there will never be something to read from server. Because the SSL_read command is non blocking and is in a loop until the buffer is read - the resault is endless loop. Can anyone suggest a methood to check whether the SSL_read returns 0 because there is nothing to read or because socket is broken? Tring to write into the socket would do (the 'regular' write returns with signal SIGPIPE and return value of EPIPE) - but I don't want to write into the socket. What can I do? Thanks in advance, Amir Amit __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_read problem
On Mon, 31 Jan 2000, Amir Amit wrote: hi. when I run SSL_read on a socket (as the client), where the server is down, SSL_read returns with 0 - as there where no bytes to read from socket. This is not true - the server is down and there will never be something to read from server. Because the SSL_read command is non blocking and is in a loop until the buffer is read - the resault is endless loop. Can anyone suggest a methood to check whether the SSL_read returns 0 because there is nothing to read or because socket is broken? Tring to write into the socket would do (the 'regular' write returns with signal SIGPIPE and return value of EPIPE) - but I don't want to write into the socket. What can I do? If a select statement indicates the socket is readable, but a subsequent read operation on the socket returns zero bytes, this indicates the socket has been closed. I don't know if that's the "pure" way but it works. The other thing to check; "man getsockopt", the option you might be interested in is "SO_ERROR" (see "man 7 socket"). However, whether this maps to SSL_read or not I can't say ... it certainly works for reads on the socket itself. (Eg. your problem might be that some data *is* actually read from the socket by the SSL but was an incomplete packet - so no decrypted data can be read out of the SSL until more data arrives on the socket). Have you looked through apps/s_client.c and the associated s_***.[ch] files? Regards, Geoff -- Geoff ThorpeEmail: [EMAIL PROTECTED] Cryptographic Software Engineer, C2Net Europehttp://www.int.c2.net -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_read problem
Word on the street is that Amir Amit said: when I run SSL_read on a socket (as the client), where the server is down, SSL_read returns with 0 - as there where no bytes to read from socket. This is not true - the server is down and there will never be something to read from server. Because the SSL_read command is non blocking and is in a loop until the buffer is read - the resault is endless loop. Can anyone suggest a methood to check whether the SSL_read returns 0 because there is nothing to read or because socket is broken? Look at apps/s_client.c - I think what you're looking for is SSL_get_error Skye __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]