[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Preliminary TLS/SSL success



bart@etpmod.phys.tue.nl wrote:

> Selecting for 'read' on the socket will not work in this case, since
> data will never be available from the client. This way, the TLS layer
> will never be called, and never have a chance to send something.

Oh, yes, I see now.  I think the concept can be summarised as saying
that
when using TLS, the transport may need to read when we are logically
writing and may need to write when we are logically reading, so we have
to do whatever is right for the transport irrespective of what the
application *thinks* it's doing.  That clashes with the simple minded
logic currently used in slapd.  I'll see to it.

> I think you just were lucky. As far as I can see, you start selecting
> on write after you received (read) the full request, but it can be that
> data needs to be written before there is data to be read.

Also, see that I had to add a field to the Connection indicating that we
are in the middle of SSL_accept since I checked in OpenSSL and concluded
that letting that go through the normal SSL_read processing would not
cut it.  I originally put that flag in the Sockbuf, but finally settled
for Connection instead.  Do you think this makes sense?

Julio