使用 OpenSSL BIO 的非阻塞 I/O
[英]Non-Blocking I/O With OpenSSL BIO
问题描述
I am using OpenSSL 1.0.0-fips on Linux.
我在 Linux 上使用 OpenSSL 1.0.0-fips。 The issue I am having is that SSL_connect() is returning -1 and SSL_get_error() is returning SSL_ERROR_WANT_READ .我遇到的问题是SSL_connect()返回 -1 并且SSL_get_error()返回SSL_ERROR_WANT_READ 。 I then put the file descriptor into a select() with a timeval structure set to 10 seconds and the select() just times out.然后我将文件描述符放入select()并将timeval结构设置为 10 秒并且select()只是超时。
I fired up Wireshark and I see the "Client Hello" go out and I see the ServerHello come back to the client but it never "wakes up" in the select() .我启动了 Wireshark,我看到“Client Hello”消失了,我看到ServerHello返回到客户端,但它从未在select() “唤醒”。 It just times out.它只是超时。
My questions are:我的问题是:
Do I have to create a BIO object using
BIO_new_socket()and then assign the BIO object to my SSL object usingSSL_set_bio()?我一定要创建使用BIO对象BIO_new_socket()然后使用BIO对象分配给我的SSL对象SSL_set_bio()The man page forSSL_set_fd()says it will automatically create a BIO object so that seems to imply thatSSL_set_bio()is sort of a useless function that you never really have to call.SSL_set_fd()的手册页说它会自动创建一个 BIO 对象,因此这似乎暗示SSL_set_bio()是一种无用的函数,您永远不必真正调用它。Let us say we use
SSL_set_fd()and assign a connected TCP file descriptor that is blocking.假设我们使用SSL_set_fd()并分配一个连接的 TCP 文件描述符是阻塞的。 Let us say that we then later change that file descriptor to non-blocking usingfcntl().假设我们稍后使用fcntl()将该文件描述符更改为非阻塞。 Does this break the SSL object (or the underlying BIO object) in anyway?这是否会破坏 SSL 对象(或底层 BIO 对象)?
1 个解决方案
解决方案1
3 已采纳 2017-01-31 01:16:21
1) Do I have to create a BIO object using BIO_new_socket() and then assign the BIO object to my SSL object using SSL_set_bio()?
If the default BIO object is sufficient for your needs, then you do not have to manually create and install your own BIO object.如果默认 BIO 对象足以满足您的需要,则您不必手动创建和安装您自己的 BIO 对象。 The SSL_set_bio() call is there just in case you'd like to create/use a BIO object that is different from the default one that SSL_set_fd() creates on your behalf. SSL_set_bio() 调用是为了以防万一您想创建/使用与 SSL_set_fd() 代表您创建的默认对象不同的 BIO 对象。
2) Let us say we use SSL_set_fd() and assign a connected TCP file descriptor that is blocking.
Yes, I believe it will break.是的,我相信它会破裂。 The calling patterns for non-blocking OpenSSL are very different from those used with blocking OpenSSL, and I don't believe you can just switch back and forth from one mode to the other on the fly.非阻塞 OpenSSL 的调用模式与用于阻塞 OpenSSL 的调用模式非常不同,我不相信您可以在运行中从一种模式来回切换到另一种模式。 That said, I haven't tried it myself, so I could be wrong, but I think to be on the safe side (and to be consistent) you should choose up-front whether you want to use blocking or non-blocking I/O and stick with it for the duration of the connection.也就是说,我自己没有尝试过,所以我可能是错的,但我认为为了安全起见(并保持一致),您应该预先选择是否要使用阻塞或非阻塞 I/ O 并在连接期间坚持使用它。
In particular, this quote from the man page:特别是,来自手册页的引用:
The BIO and hence the SSL engine inherit the behaviour of fd.
... suggest that the SSL setup calls will examine the state of your fd and set private variables within the BIO and the SSL objects based on the blocking/non-blocking state of the fd. ... 建议 SSL 设置调用将检查您的 fd 的状态,并根据 fd 的阻塞/非阻塞状态在 BIO 和 SSL 对象中设置私有变量。 If you then "go behind OpenSSL's back" and change the behavior of the fd, OpenSSL's routines will not expect that and will very likely do the wrong thing and not work correctly.如果您随后“落后于 OpenSSL”并更改 fd 的行为,则 OpenSSL 的例程不会期望这样做,并且很可能会做错事并且无法正常工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.