We have a client application coded in C++ that connects to a Java application server via SSL using openssl. We use non-blocking socket connection mode with option to choose 'select' or 'poll' mechanism for identifying the data packets available to be read.
the client has been working fine for quite a while, but recently we noticed an issue where the response is getting split into multiple packets and SSL_read is returning just one character 'H' with SSL_ERROR_NONE and SSL_pending zero, as a result of which our SSL_read loop is ending with incomplete response. On a subsequent reinvocation of SSL_read [as a hack] we get the remaining response starting with 'TTP 1.1'.
Since SSL_pending=0 and SSL_get_error()=SSL_ERROR_NONE, we do not find any other way to know if there is more data to be read and hence ending the 'SSL_read' loop which just reads one character.
Here is the relevant pseudo code...
bool done=false;
int pending=1; bool inited=false;
bool want_read=false; bool want_write=false;
timeval tv;
String response; //internal class for string, legacy
while(!done) {
if( !inited || want_read || want_write ) {
try {
/* Wait a few seconds. */
if(!inited) {
tv.tv_sec = timeOutValue.tv_sec;
tv.tv_usec = timeOutValue.tv_usec;
} else {
tv.tv_sec = 0;
tv.tv_usec = 500000; //hack to reduce the waiting period
}
#ifdef USE_POLL
poll the socket
#else
call 'select' on the socket
#endif
inited=true;
continue;
} catch(const XSeption&) {
close_socket(&sock);
done=true;
cout << "Error waiting on select/poll call" << endl;
break;
}
}
memset(temp, 0, BUFSIZE);
charsRead = SSL_read(ssl,temp, (sizeof(char)*BUFSIZE));
cout << endl << "charsRead = " << charsRead << endl;
if(charsRead>0) {
response.append(temp, charsRead);
}
cout << "Response : " << response << endl;
int sslerror = SSL_get_error(ssl,charsRead);
cout << "SSL_error_code = " << sslerror << endl;
pending=SSL_pending(ssl);
cout << "pending characters in the current SSL buffer : " << endl;
/*
if(charsRead==1) {
memset(temp, 0, BUFSIZE);
cout << "read only one character which is odd,hence reading again" << endl;
charsRead = SSL_read(ssl,temp, (sizeof(char)*BUFSIZE));
cout << endl << "charsRead in second read = " << charsRead << endl;
if(charsRead>0) {
response.append(temp, charsRead);
}
cout << "Second Response : " << response << endl;
sslerror = SSL_get_error(ssl,charsRead);
cout << "SSL_error_code = " << sslerror << endl;
pending=SSL_pending(ssl);
cout << "pending characters in the current SSL buffer : " << endl;
}
*/
switch(sslerror){
case SSL_ERROR_NONE:
cout << "No SSL Error" << endl;
done=true; //ideally, we should mark the process completed here; but if mark this completed here, then we are getting only 1 character 'H'
break;
case SSL_ERROR_WANT_READ:
cout << "In SSL_ERROR_WANT_READ" << endl;
//SSLread Still pending
want_read=true;
//continue;
break;
case SSL_ERROR_WANT_WRITE:
cout << "In SSL_ERROR_WANT_WRITE" << endl;
//SSLread Still pending
want_write=true;
//continue;
break;
case SSL_ERROR_SSL:
done=true;
cout << "encountered SSL INTERNAL ERROR" << endl;
close_socket(&sock);
break;
case SSL_ERROR_SYSCALL:
done=true;
cout << "encountered ERROR SYSCALL" << endl;
close_socket(&sock);
break;
case SSL_ERROR_ZERO_RETURN:
done=true;
cout << "encountered SSL ZERO RETURN" << endl;
close_socket(&sock);
break;
default:
done=true;
cout << "encountered default error" << endl;
close_socket(&sock);
break;
} //end of switch
} //end of while
cout << "Final Response : " << response << endl;
So, how can I identify that the response is complete or is pending when SSL_pending returns zero and the SSL_get_error is SSL_ERROR_NONE and i do not know how long [number of bytes/characters the response can be?
Are my expectations wrong? Why is the SSL_read returning a single character the first time even though we provide a larger buffer?
Any help in this regard is highly appreciated...
UPDATE:
while(!done) {
currentTime = getTime();
tval.tv_sec = timeOutValue.tv_sec - (currentTime - beginTime);
tval.tv_usec = timeOutValue.tv_usec;
if ( tval.tv_sec <= 0 ) //the allotted time for processing this request has elapsed
{
//do not close the socket or SSL session since this is just a timeout issue
throw Exception::TIMEOUT);
}
#ifdef USE_POLL
fds.fd = sock;
fds.events = POLLIN;
#else
FD_ZERO(&rset);
FD_SET(sock, &rset);
#endif
if(!inited || want_read || want_write) {
timeval tv;
/*
When we first enter this method or for NON-SSL requests, we would wait till the SELECT call returns a ready file-descriptor but in the case of a SSL requests processing the response message , we just issue SELECT with 0(zero) or very little timeout since SSL_read is giving us a common error code for actual need to check at the socket (SELECT/POLL) and the need to call SSL_read again, if we can find a way to differentiate the need to call SELECT/POLL Vs invoke SSL_read, then this if-else construct needs to be removed and we can then use the complete remaining time for timeout parameter in SELECT/POLL call even for SSL requests
*/
if(!inited ) {
tv.tv_sec=tval.tv_sec;
tv.tv_usec=tval.tv_usec;
} else {
tv.tv_sec=0;
tv.tv_usec=1000;
}
try {
#ifdef USE_POLL
poll_call(&fds, 1, &tv);
#else
select_call(sock+1, &rset, NULL, NULL, &tv);
#endif
} catch(const Exception&) {
/*
do not close the socket or throw exception; the socket will be closed only if an error occurs or if the server itself the closed the connection
*/
}
inited=true;
want_read=false;
want_write=false;
}
memset(temp, 0, BUFSIZE);
charsRead = openSSL->SSLread(temp, (sizeof(char)*BUFSIZE));
if(charsRead>0) {
response.append(temp, charsRead);
done=is_response_complete(response);
} else {
int sslerror=openSSL->SSLgetErrorCode(charsRead);
switch(sslerror){
case SSL_ERROR_NONE:
break;
case SSL_ERROR_WANT_READ:
want_read=true;
break;
case SSL_ERROR_WANT_WRITE:
want_write=true;
break;
case SSL_ERROR_SSL:
close(openSSL, Exception::SSL_CONNECTION_PROBLEM,
ErrorDescription(sslerror));
break;
case SSL_ERROR_SYSCALL:
close(openSSL,Exception::SERVER_CONNECTION_PROBLEM,
ErrorDescription(sslerror));
break;
case SSL_ERROR_ZERO_RETURN:
default:
close(openSSL,Exception::SSL_CONNECTION_PROBLEM,
ErrorDescription(sslerror));
break;
} //end of switch
} //end off ssl_error check
}