on a non blocking socket, implementing renegotiation using openssl 0.9.8m and beyond

Question

openssl has added secure renegotiation in 0.9.8m and later versions. How do I handle this case? in a server, using a non blocking socket, say an SSL_accept is done. Now the server will check to see if the socket becomes readable. If it, then there are two possibilies, either the socket became readable because the client sent some request OR the client renegotiatied the connection. SSL_MODE_AUTO_RETRY is not applicable as I understnad on non blocking sockets. If the client sent request, SSL_Read needs to be invoked. If the client renegotiated, SSL_accept has to be called. If I call SSL_read when client did renegotiation, it returns with SSL_ERROR_SSL. So how do I determine if I should do SSL_accept or SSL_read. Calling SSL_read again returns with same error.

Thanks for any inputs

Adnan Akbar Adnan Akbar · Accepted Answer · 2013-03-16T04:48:37

I am guessing you are using C. You will have to check the error code and maintain a state of session at your end. If the case is either success or needsRead or needsWrite you will have to call the respective function. Initially set the status as needsAccept. the accept function will automatically based on session decide if read or write is needed.

 int retCode = SSL_get_error(ssl, retNum);
  switch (retCode) {
     case SSL_ERROR_NONE:
    return "success";
         case SSL_ERROR_WANT_READ:
    LOG_DEBUG("SSL_ERROR_WANT_READ");
    return "needsRead";

     case SSL_ERROR_WANT_WRITE:
    return "needsWrite";

    case SSL_ERROR_ZERO_RETURN:
    case SSL_ERROR_SSL:
    case SSL_ERROR_SYSCALL:
         return "socket should be closed";
}

on a non blocking socket, implementing renegotiation using openssl 0.9.8m and beyond

1 Answers