OpenSSL错误处理 [英] OpenSSL error handling
问题描述
这是在OpenSSL中进行错误处理的正确方法吗?
SSL_get_error
和ERR_get_error
有什么区别?
在这方面,文档还很模糊.
Is this the correct way to do error handling in OpenSSL?
And what is the difference between SSL_get_error
and ERR_get_error
?
The docs are quite vague in this regard.
int ssl_shutdown(SSL *ssl_connection)
{
int rv, err;
ERR_clear_error();
rv = SSL_shutdown(ssl_connection);
if (rv == 0)
SSL_shutdown(ssl_connection);
if (rv < 0)
{
err = SSL_get_error(ssl_connection, rv);
if (err == SSL_ERROR_SSL)
fprintf(stderr, "%s\n", ERR_error_string(ERR_get_error(), NULL));
fprintf(stderr, "%s\n", SSL_state_string(ssl_connection));
return 1;
}
SSL_free(ssl_connection);
return 0;
}
推荐答案
SSL_get_error()返回结果代码(适用于C开关" 语句)用于先前调用SSL_connect(),SSL_accept(), SSL上的SSL_do_handshake(),SSL_read(),SSL_peek()或SSL_write().这 该TLS/SSL I/O函数返回的值必须传递给 参数ret中的SSL_get_error().
SSL_get_error() returns a result code (suitable for the C "switch" statement) for a preceding call to SSL_connect(), SSL_accept(), SSL_do_handshake(), SSL_read(), SSL_peek(), or SSL_write() on ssl. The value returned by that TLS/SSL I/O function must be passed to SSL_get_error() in parameter ret.
ERR_get_error()返回线程的最早错误代码 错误队列并删除条目.可以调用此功能 重复操作,直到没有其他错误代码可返回为止.
ERR_get_error() returns the earliest error code from the thread's error queue and removes the entry. This function can be called repeatedly until there are no more error codes to return.
因此后者是为了更通用的用途,不应将它们一起使用,因为:
So the latter is for more general use and those shouldn't be used together, because:
在尝试TLS/SSL I/O操作之前,当前线程的错误队列必须为空,否则SSL_get_error()将无法可靠地工作.
The current thread's error queue must be empty before the TLS/SSL I/O operation is attempted, or SSL_get_error() will not work reliably.
因此,您必须使用ERR_get_error读取所有错误并进行处理(或像通过ERR_clear_error
在代码示例中所做的那样通过删除来忽略它们),然后执行IO操作.您的方法似乎是正确的,尽管我目前无法自己检查所有方面.
So you have to read all of the errors using ERR_get_error and handle them (or ignore them by removal as you did in your code sample with ERR_clear_error
) and then perform the IO operation. Your approach seems to be correct, although I can't check all aspects of it by myself at the moment.
请参考此答案和
Refer to this answer and this post for more information.
根据此教程中,BIO_例程可能会生成错误并影响错误队列:
according to this tutorial, BIO_ routines may generate an error and affect error queue:
第三个字段是产生错误的软件包的名称, 例如"BIO例程" 或"bignum例程".
The third field is the name of the package that generated the error, such as "BIO routines" or "bignum routines".
这篇关于OpenSSL错误处理的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!