[plt-scheme] ssl/tls connections

From: Matthew Flatt (mflatt at cs.utah.edu)
Date: Tue Mar 31 14:24:25 EDT 2009

At Tue, 31 Mar 2009 19:30:42 +0200, nik gaffney wrote:
> On 31/03/2009 18:48, Matthew Flatt wrote:
> > At Tue, 31 Mar 2009 13:55:15 +0100, Noel Welsh wrote:
> >> Try syncing on the input and output ports, rather than peeking. I
> >> don't know for sure but I guess that sync is implemented in terms of
> >> select, and the OpenSSL docs suggest you can use select to determine
> >> if data is ready without committing to a read or a write.
> > 
> > No, I think that's not the case. Socket-level data may just mean that
> > the other end started a negotiation about the protocol and doesn't
> > intend to send any payload.
> > 
> > After paging back in, I'm sure I've looked at this a couple of times
> > before, and I always conclude as the `openssl' library docs say: you
> > can't even ask whether the other end has provided data (though
> > `char-ready?', `sync' or other means) without committing to reading
> > data. I'm fairly certain that this is a limitation of the OpenSSL
> > protocol. (Of course, if anyone knows otherwise and can point me to the
> > right OpenSSL library functions, I'd be happy to improve the `openssl'
> > module.)
> 
> From the article Noel referred to [1] it looks like the interaction
> between select() and the ssl read & write functions is not particularly
> obvious. however, it suggests using the SSL_ERROR_WANT_READ and
> SSL_ERROR_WANT_WRITE to help coordinate SSL_write() and SSL_read() (and
> potentially SSL_want_read() and SSL_want_write() also. ..)
> 
> After a brief look through the openssl manpages, it might help to sync
> reads and writes on the scheme ports by exposing SSL_want() and/or using
> the result to flush any pending data.

The issue is that when SSL_read() or SSL_write() produces
SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE, the man pages say that you
have to retry SSL_read() or SSL_write() again with the same arguments
as before. If I remember correctly, I experimented with ignoring this
requirement, and it didn't work.

Searching again on this topic suggests [1,2] that

 * The retry is not really a requirement for SSL_read().

 * The retry is not a requirement for SSL_write() if you use the 
   SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER mode.

 * In any case, "retry" doesn't necessarily mean "must retry before
   doing anything else".

I don't yet believe any of this, but maybe it's worth one more try.


[1] http://www.mail-archive.com/openssl-users@openssl.org/msg39605.html

[2] http://www.mail-archive.com/openssl-dev@openssl.org/msg22423.html



Posted on the users mailing list.