-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Rémy,
On 11/29/18 08:27, Rémy Maucherat wrote: > On Sun, Nov 25, 2018 at 10:42 AM Rainer Jung > <rainer.j...@kippdata.de> wrote: > >> In our Java code, what happens is a call to unwrap() in >> OpenSSLEngine. This call writes I think 146 bytes, then checks >> pendingReadableBytesInSSL(). That call in turn calls >> SSL.readFromSSL() and gets back "0" (from SSL_read()). Up in >> unwrap() we then skip the while loop and finally return with >> BUFFER_UNDERFLOW. Then we hang, probably because the data was >> read by OpenSSL and no more socket event happens. If I >> artificially add another call to pendingReadableBytesInSSL() >> which triggers another SSL_read(), the hang does not occur. >> >> IMHO TLS 1.0 is not such a big problem, but we should at least >> document it when we do a new release. >> >> Last time, Mark fixed pendingReadableBytesInSSL (= > SSL.pendingReadableBytesInSSL) not working by using a fake read > (SSL.readFromSSL(ssl, EMPTY_ADDR, 0)) to start a new record. So > then we actually need to make *two* fake reads (if the result of > the first is zero) and we would be fine ? This OpenSSL API sounds > ridiculously bad ... (IMO) > > So you made it sound like it would work: Index: > java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java > =================================================================== > > - --- java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java (revis ion > 1847712) +++ > java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java > (working copy) @@ -635,6 +635,9 @@ // See > https://www.openssl.org/docs/manmaster/ssl/SSL_pending.html > clearLastError(); int lastPrimingReadResult = SSL.readFromSSL(ssl, > EMPTY_ADDR, 0); // priming read + if (lastPrimingReadResult > == 0) { + lastPrimingReadResult = SSL.readFromSSL(ssl, > EMPTY_ADDR, 0); + } // check if SSL_read returned <= 0. In > this case we need to check the error and see if it was something // > fatal. if (lastPrimingReadResult <= 0) { Is anyone in contact with the OpenSSL folks? I mean... we could bumble our way through this by ourselves, or we could ask people who know everything about OpenSSL for some help... - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlwAIBYACgkQHPApP6U8 pFgvHw/7BREGqoGDkhGuoWM5dHc4NbaLyDOFF+sFVVDvgE6Ll9oT+jTnotlRlrNy 7ZVspEW6On9VdPKhZYW1itmu1iCqLMnh1Akk2HzUZzKmJR/oMz/gshb76rASwg+u IyZwDfsemoXVXXIgkT6iEA4yzA3je/L3ahug6JNHC8EGp/QIBBun8OQfwWY30PHY NfQ5tWmBeJ8bBdb1iV9YPdfWNvBX6LBTjr+iBFJs3QUDgAkiSWLRRu9h8QpfN4XH gb8SbOGM/YLXHvNoY6flONWzXVFX9mERq4a1JKQHxRJm6HOYy3IX0CZnx+ebhiN1 G1PNVnUPMo5P6hUbo1/W186zFQI5X8C1F/pUKR43fWYyXpaY7q58vHKrfeHEpkbT SmAUBpAJhT3v9qL+ITW51eeLkIC2CmFz1Xmj8xf89Z5gT37nM9MehtOp23fiu3+A TrgGxmEjst3NJ6gNSD8OJllYoUHk+tsZXEUo1KH5amDYCk1d0LVpJ8/xorwBuZhX AXkMgleq0l0Qk5WFaFkhswZ+w6uJCqoEVMbWWfHhp+aFreO5ZJzOQWouDrrMvOTi WfbJl44qwgBSBwAWKxrDwPbj3ifc0rIhEIZ72A1f1Vf3AllT2moFodZ+HBym3Tgu bqn1zWjWwP57mtFgvSQS7VWSp1zbZ6xQb7YnSQbIZr47TEYFSG4= =43IP -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
