如何在openssl中管理错误队列(SSL_get_error和ERR_get_error) [英] How to manage the error queue in openssl (SSL_get_error and ERR_get_error)

问题描述

在OpenSSl中，大多数SSL_ *调用的手册页通过返回值< = 0来指示错误，并建议调用SSL_get_error()以获取扩展的错误.

In OpenSSl, The man pages for The majority of SSL_* calls indicate an error by returning a value <= 0 and suggest calling SSL_get_error() to get the extended error.

但是在这些调用以及其他OpenSSL库调用的手册页中，模糊引用了在OpenSSL中使用错误队列"的信息-在SSL_get_error :

But within the man pages for these calls as well as for other OpenSSL library calls, there are vague references to using the "error queue" in OpenSSL - Such is the case in the man page for SSL_get_error:

   The current thread's error queue must be empty before the TLS/SSL I/O
   operation is attempted, or  SSL_get_error() will not work reliably.

在同一手册页中，对SSL_ERROR_SSL的描述是这样的:

And in that very same man page, the description for SSL_ERROR_SSL says this:

   SSL_ERROR_SSL
       A failure in the SSL library occurred, usually a protocol error.
       The OpenSSL error queue contains more information on the error.

这种暗示意味着错误队列中有一些值得阅读的东西.读取失败会导致后续对SSL_get_error的调用不可靠.大概打电话是 ERR_get_error .

This kind of implies that there is something in the error queue worth reading. And failure to read it makes a subsequent call to SSL_get_error unreliable. Presumably, the call to make is ERR_get_error.

我计划在代码中使用非阻塞套接字.因此，重要的是要可靠地发现错误条件是SSL_ERROR_WANT_READ或SSL_ERROR_WANT_WRITE，以便可以将套接字置于正确的轮询模式.

I plan to use non-blocking sockets in my code. As such, it's important that I reliably discover when the error condition is SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE so I can put the socket in the correct polling mode.

所以我的问题是这个

• SSL_get_error()是否对我隐式调用ERR_get_error()?还是我需要同时使用两者?

• Does SSL_get_error() call ERR_get_error() implicitly for me? Or do I need to use both?

我应该在每次OpenSSL库调用之前调用 ERR_clear_error 吗?

Should I be calling ERR_clear_error prior to every OpenSSL library call?

OpenSSL库调用完成后，队列中是否可能存在多个错误?因此，在某些情况下，队列中的第一个错误比最后一个错误更相关吗?

Is it possible that more than one error could be in the queue after an OpenSSL library call completes? Hence, are there circumstances where the first error in the queue is more relevant than the last error?

推荐答案

• SSL_get_error不调用ERR_get_error.因此，如果您仅调用SSL_get_error，则错误将保留在队列中.
• 您应该先进行ERR_clear_error调用，然后再进行SSL_get_error的任何SSL调用(SSL_read，SSL_write等)，否则您可能正在读取以前在当前线程中发生的旧错误.

这篇关于如何在openssl中管理错误队列(SSL_get_error和ERR_get_error)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！