All geek questions in one place

Change OpenSSL BIO from lock to non-blocking mode

I have a multi-threaded application that heavily uses OpenSSL in C. It is designed with the idea that all of its SSL connections are expected to be blocked. In particular, blocking the BIO. All of them are allocated from one inbound port as follows:

ssl = SSL_new(ctx); SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); sock = BIO_new_socket(socket, BIO_CLOSE); SSL_set_bio(ssl, sock, sock);

As it turned out, there are several small parts of the code base where the best option would be to use non-blocking BIOs. Small parts that benefit from non-blocking BIOs will not be able to know which SSL connections will belong to them. Thus, they always get blocking BIOs.

The question is, can blocking BIOs be non-blocking?

I know that BIO_set_nbio can be used to lock BIO, but the documentation says:

A call to BIO_set_nbio () must be completed before the connection is established, since non-blocking I / O is established during the connection process.

Another possible option that I was thinking about is to copy the BIO and recreate it while maintaining all the state.

+6
source share
1 answer

I did not block SSL connections in my own lion code, but I did not use the BIO functionality in OpenSSL at all.

Rather, I made calls to SSL_set_fd(ctx, fd ) and SSL_get_fd(ssl) to process my own fdsets and call select .

The biggest gotcha, which took some time to track, was setting SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER and SSL_MODE_ENABLE_PARTIAL_WRITE , since it worked the way I wanted.

If you want to read part of the SSL code, it is here:

https://github.com/lundman/lion/blob/master/src/tls.c

+5
source

Source: https://habr.com/ru/post/903256/

More articles:


All Articles