使用openssl及其未阻塞的生物,ssl_read返回SSL_ERROR_SYSCALL和SSL_ERROR_WANT_READ [英] using openssl with its unblocked bio, ssl_read return SSL_ERROR_SYSCALL and SSL_ERROR_WANT_READ
问题描述
我使用zeromq和openssl编写我的服务器和客户端.
I use zeromq and openssl to write my server and client .
成功握手后,当客户端再次向服务器发送消息时,服务器中的ssl_read()返回-1,而ssl_get_erro()返回SSL_ERROR_SYSCALL,
After successful handshake, when the client sends message to server again, the ssl_read() in server returns -1 and ssl_get_erro() returns SSL_ERROR_SYSCALL,
当服务器再次收到消息时,这种情况重复出现.我找不到原因.我需要BIO_flush()吗?我真的很感谢您,甚至可以给我一些启发来解决这个问题.
this situation repeats when server receives messages again. I cannot find the reason. Do i need BIO_flush()? I would really appreciate you even just give me some inspirations to work this out.
嗯,我的程序太复杂了,无法显示.我被要求在rpcz中添加ssl以提高其安全性(我不知道rpcz是否足够流行,大多数人都知道.用我的话说,它结合了zeromq,protobuf和rpc来实现远程过程调用). 因此,有很多代码段,我认为在这里全部显示都无济于事.
well, my program is too complicated to show. I was asked to add ssl to rpcz to improve its security (I dont know if rpcz is popular enough for most people to know. In my word ,it combines zeromq,protobuf and rpc to realize remote procedure call). So there are lots of pieces of code, I think it wont help by showing them all here.
我正在尝试提供更多细节.
I am trying to give more details.
握手成功后,当服务器尝试使用这种方法解密接收到的数据
After a successful handshake, when server try to decrypt the data it receives, using a method like this
`{
//.......
bio_write();
//.......
ssl_read();
}`
,结果证明bio_write()通过返回数据数量成功将数据写入了bio,但是ssl_read()总是将tun调为-1.因此,我使用ssl_get_error()检查错误号,它返回SSL_ERROR_SYSCALL,对于收到的下一个数据,它返回SSL_ERROR_WANT_READ.
and it turns out that bio_write() has successfully written the data into bio by returning number of the data, but ssl_read() always retun -1. So I use ssl_get_error() to check the error number, it returns SSL_ERROR_SYSCALL, and for the next data received,it returns SSL_ERROR_WANT_READ.
希望有人可以帮助解释ssl_read为什么返回这些代码?我认为,如果ssl连接未成功握手,则ssl_write()不会返回正数.因此可能不是ssl连接问题.
hope that someone can help to explain why ssl_read returns these code? I think if the ssl connection does not handshake successfully, ssl_write() wont return a positive number. So may the problem is not the ssl connection.
再次添加一些细节
void TLSZmq::ssl_decrypt()
{
//........
ERR_clear_error();
int rc = BIO_write(rbio,zmq_to_ssl->data(),zmq_to_ssl->size());
ERR_get_error();
check_ssl_err(rc); //written by myself
//.........
ERR_clear_error();
aread = SSL_read(ssl_,buffer,BUFFERSIZE);
ERR_get_error();
check_ssl_err(rc); //written by myself
//..........
}
void TLSZmq::check_ssl_err(int rc)
{
//...................
int err = SSL_get_error(ssl_, rc);
if (err == SSL_ERROR_NONE)
{
std::cout<<"SSL_ERROR_NONE:"<<SSL_ERROR_NONE<<std::endl;
}
else if (err == SSL_ERROR_WANT_READ )
{
std::cout<<"SSL_ERROR_WANT_READ:"<<SSL_ERROR_WANT_READ<<std::endl;
}
else if (SSL_ERROR_SYSCALL)
{
std::cout<<"SSL_ERROR_SYSCALL:"<<SSL_ERROR_SYSCALL<<std::endl;
}
//.....................
}
我不确定这是检查错误堆栈之类的正确方法.当出现SSL_ERROR_SYSCALL时,ERR_get_error()返回一个奇怪的数字,例如336130315,当出现SSL_ERROR_WANT_READ时,ERR_get_error()返回0.
I am not sure this is the right way to check the error stack or something. when SSL_ERROR_SYSCALL appears, ERR_get_error() return a strange number like 336130315, and when SSL_ERROR_WANT_READ appears, ERR_get_error() returns 0.
er ...我们在说openssl对吗? rc获取openssl的BIO_write()函数的返回值. P.S.我已经指出,我使用zeromq套接字发送消息.我很迷惑.通过errno或调用perror()有意义吗?
er...we are talking openssl right? rc gets the return value of BIO_write() function of openssl. P.S. I use zeromq socket for sending message, which I have pointed out. I am confused. Does it make sense to get errno by or call perror() ?
真的很感谢您阅读本文.
Really thanks for your time reading this.
推荐答案
SSL连接不是可以独立使用的解密功能和加密功能.如果需要块或流密码,则可以使用OpenSSL代码获得其中的一部分.但是您不能那样使用SSL 本身.
An SSL connection is not a decryption function and an encryption function that can be used independently. If you want a block or stream cipher, you can get one using the OpenSSL code for some of the pieces. But you can't use SSL itself that way.
可以使用BIO对允许SSL在TCP以外的传输层上进行操作.但是您必须复制TCP的语义-这很复杂,并且代码看起来与上面的代码完全不同. (例如,TCP允许随时在任何方向上进行传输.您无需复制该文件.被设计为位于TCP之上的SSL要求您对其进行复制才能在其他传输方式上使用.)
It is possible to use BIO pairs to allow SSL to operate over a transport layer other than TCP. But you have to replicate the semantics of TCP -- it's complex, and the code looks nothing like the code you have above. (For example, TCP permits transmission in either direction at any time. You don't replicate that. SSL, designed to be layered on top of TCP, requires you to replicate that for it to work on some other transport.)
如果您想要流密码,只需使用一个.
If you want a stream cipher, just use one.
这篇关于使用openssl及其未阻塞的生物,ssl_read返回SSL_ERROR_SYSCALL和SSL_ERROR_WANT_READ的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
