You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Oknet Xu (JIRA)" <ji...@apache.org> on 2015/07/18 08:03:04 UTC
[jira] [Comment Edited] (TS-3667) SSL Handhake read does not
correctly handle EOF and error cases
[ https://issues.apache.org/jira/browse/TS-3667?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14632283#comment-14632283 ]
Oknet Xu edited comment on TS-3667 at 7/18/15 6:02 AM:
-------------------------------------------------------
The patch make SNI_HOOK/CERT_HOOK broken, The new patch is post below:
{code}
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index e06f749..754f24d 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -1070,25 +1070,11 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err)
// All the pre-accept hooks have completed, proceed with the actual accept.
+ int retval = 1;
if (BIO_eof(SSL_get_rbio(this->ssl))) { // No more data in the buffer
// Read from socket to fill in the BIO buffer with the
// raw handshake data before calling the ssl accept calls.
- int retval = this->read_raw_data();
- if (retval < 0) {
- if (retval == -EAGAIN) {
- // No data at the moment, hang tight
- SSLDebugVC(this, "SSL handshake: EAGAIN");
- return SSL_HANDSHAKE_WANT_READ;
- } else {
- // An error, make us go away
- SSLDebugVC(this, "SSL handshake error: read_retval=%d", retval);
- return EVENT_ERROR;
- }
- } else if (retval == 0) {
- // EOF, go away, we stopped in the handshake
- SSLDebugVC(this, "SSL handshake error: EOF");
- return EVENT_ERROR;
- }
+ retval = this->read_raw_data();
}
ssl_error_t ssl_error = SSLAccept(ssl);
@@ -1186,6 +1172,25 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err)
case SSL_ERROR_WANT_READ:
TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake ERROR_WANT_READ");
+
+ // TS-3667: handle EOF after SSLAccept()
+ // This is working with CERT_HOOK
+ if (retval < 0) {
+ if (retval == -EAGAIN) {
+ // No data at the moment, hang tight
+ SSLDebugVC(this, "SSL handshake: EAGAIN");
+ return SSL_HANDSHAKE_WANT_READ;
+ } else {
+ // An error, make us go away
+ SSLDebugVC(this, "SSL handshake error: read_retval=%d", retval);
+ return EVENT_ERROR;
+ }
+ } else if (retval == 0) {
+ // EOF, go away, we stopped in the handshake
+ SSLDebugVC(this, "SSL handshake error: EOF");
+ return EVENT_ERROR;
+ }
+
return SSL_HANDSHAKE_WANT_READ;
// This value is only defined in openssl has been patched to
{code}
was (Author: oknet):
The patch make SNI_HOOK/CERT_HOOK broken, The new patch is post below:
{code}
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index e06f749..754f24d 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -1070,25 +1070,11 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err)
// All the pre-accept hooks have completed, proceed with the actual accept.
+ int retval = 1;
if (BIO_eof(SSL_get_rbio(this->ssl))) { // No more data in the buffer
// Read from socket to fill in the BIO buffer with the
// raw handshake data before calling the ssl accept calls.
- int retval = this->read_raw_data();
- if (retval < 0) {
- if (retval == -EAGAIN) {
- // No data at the moment, hang tight
- SSLDebugVC(this, "SSL handshake: EAGAIN");
- return SSL_HANDSHAKE_WANT_READ;
- } else {
- // An error, make us go away
- SSLDebugVC(this, "SSL handshake error: read_retval=%d", retval);
- return EVENT_ERROR;
- }
- } else if (retval == 0) {
- // EOF, go away, we stopped in the handshake
- SSLDebugVC(this, "SSL handshake error: EOF");
- return EVENT_ERROR;
- }
+ retval = this->read_raw_data();
}
ssl_error_t ssl_error = SSLAccept(ssl);
@@ -1186,6 +1172,25 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err)
case SSL_ERROR_WANT_READ:
TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake ERROR_WANT_READ");
+
+ // TS-3667: handle EOS after SSLAccept()
+ // This is working with CERT_HOOK
+ if (retval < 0) {
+ if (retval == -EAGAIN) {
+ // No data at the moment, hang tight
+ SSLDebugVC(this, "SSL handshake: EAGAIN");
+ return SSL_HANDSHAKE_WANT_READ;
+ } else {
+ // An error, make us go away
+ SSLDebugVC(this, "SSL handshake error: read_retval=%d", retval);
+ return EVENT_ERROR;
+ }
+ } else if (retval == 0) {
+ // EOF, go away, we stopped in the handshake
+ SSLDebugVC(this, "SSL handshake error: EOF");
+ return EVENT_ERROR;
+ }
+
return SSL_HANDSHAKE_WANT_READ;
// This value is only defined in openssl has been patched to
{code}
> SSL Handhake read does not correctly handle EOF and error cases
> ---------------------------------------------------------------
>
> Key: TS-3667
> URL: https://issues.apache.org/jira/browse/TS-3667
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
> Affects Versions: 5.2.0, 5.3.0
> Reporter: Susan Hinrichs
> Assignee: Susan Hinrichs
> Fix For: 5.3.1, 6.0.0
>
> Attachments: ts-3667.diff
>
>
> Reported by [~esproul] and postwait.
> The return value of SSLNetVConnection::read_raw_data() is being ignored. So EOF and errors are not terminated, but rather spin until the inactivity timeout is reached. EAGAIN is not being descheduled until more data is available.
> This results in higher CPU utilization and hitting the SSL_error() function much more than it needs to be hit.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)