Article delegate-en/2678 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A2676@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: SSLway on Linux?
25 Jun 2004 03:12:10 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project


On 06/25/04(07:05) you feedback@delegate.. (Yutaka Sato) wrote
in <_A2676@delegate-en.ML_>
 |It works.  So the problem is in the usage of OpenSSL by SSLway.
 |First, I located the SSL library function where error occurs.  Running
 |a DeleGate with SSLway and putting a HTTP request manyally with telnet,
 |I noticed that the server does not disconnect during input from client,
 |and SSLway gets some error at the first SSL_read() to get the first
 |user level data response from server.  Next, I replaced SSL_read()
 |with read(), and saw that read() gets some data from server.  So the
 |cause of the error is not unexpected disconnection from server.  Then
 |I saw the source code of s_client.c and found that SSL_read() may
 |return a temporary error code to show some kind of status transitions.
 |Thus I made a patch like enclosed to retry SSL_read() on error, and
 |confirmed it works with the server.

I read the manual of SSL_get_error() and have understood a little more.
So I will make a little more generic modification for sslway.c like
the enclosed patch.

<URL:http://www.openssl.org/docs/ssl/SSL_get_error.html>
>SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE
>
>    The operation did not complete; the same TLS/SSL I/O function should
> be called again later. If, by then, the underlying BIO has data available
> for reading (if the result code is SSL_ERROR_WANT_READ) or allows writing
> data (SSL_ERROR_WANT_WRITE), then some TLS/SSL protocol progress will
> take place, i.e. at least part of an TLS/SSL record will be read or written.
> Note that the retry may again lead to a SSL_ERROR_WANT_READ or
> SSL_ERROR_WANT_WRITE condition.  There is no fixed upper limit for
> the number of iterations that may be necessary until progress becomes
> visible at application protocol level.
>
>    For socket BIOs (e.g. when SSL_set_fd() was used), select() or poll()
> on the underlying socket can be used to find out when the TLS/SSL I/O
> function should be retried.
>
>    Caveat: Any TLS/SSL I/O function can lead to either of
> SSL_ERROR_WANT_READ and SSL_ERROR_WANT_WRITE. In particular, SSL_read()
> or SSL_peek() may want to write data and SSL_write() may want to read data.
> This is mainly because TLS/SSL handshakes may occur at any time during
> the protocol (initiated by either the client or the server); SSL_read(),
> SSL_peek(), and SSL_write() will handle any pending handshakes.

Cheers,
Yutaka
--
  D G   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( - )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller


*** ../dist/delegate8.9.5/filters/sslway.c	Fri May 14 16:31:37 2004
--- sslway.c	Fri Jun 25 12:08:09 2004
***************
*** 470,475 ****
--- 470,511 ----
  	}
  	return ok;
  }
+ 
+ #define SSL_ERROR_WANT_READ        2
+ #define SSL_ERROR_WANT_WRITE       3
+ #define SSL_ERROR_WANT_X509_LOOKUP 4
+ 
+ static SSL_rdwr(wr,ssl,buf,siz)
+ 	SSL *ssl;
+ 	char *buf;
+ {	int i,xcc,err;
+ 
+ 	if( wr )
+ 		xcc = SSL_write(ssl,buf,siz);
+ 	else	xcc = SSL_read(ssl,buf,siz);
+ 	if( xcc < 0 ){
+ 		for( i = 0; i < 8; i++ ){
+ 			err = SSL_get_error(ssl,xcc);
+ 			DEBUG("SSL_%s()=%d ERR=%d",wr?"write":"read",xcc,err);
+ 
+ 			if( err != SSL_ERROR_WANT_READ
+ 			 && err != SSL_ERROR_WANT_WRITE
+ 			 && err != SSL_ERROR_WANT_X509_LOOKUP
+ 			)
+ 				break;
+ 
+ 			if( wr )
+ 				xcc = SSL_write(ssl,buf,siz);
+ 			else	xcc = SSL_read(ssl,buf,siz);
+ 			if( 0 <= xcc )
+ 				break;
+ 		}
+ 	}
+ 	return xcc;
+ }
+ #define SSL_read(ss,bf,sz)	SSL_rdwr(0,ss,bf,sz)
+ #define SSL_write(ss,bf,sz)	SSL_rdwr(1,ss,bf,sz)
+ 
  static writes(what,ssl,confd,buf,rcc)
  	char *what;
  	SSL *ssl;
***************
*** 935,941 ****
  
  static put_help()
  {
! 	syslog_ERROR("SSLway 2004-05-05 <ysato@delegate.org>\r\n");
  }
  extern mainX();
  extern int RANDSTACK_RANGE;
--- 971,977 ----
  
  static put_help()
  {
! 	syslog_ERROR("SSLway 2004-06-25 <ysato@delegate.org>\r\n");
  }
  extern mainX();
  extern int RANDSTACK_RANGE;

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V