3

我们有一个用 C++ 编码的客户端应用程序,它使用 openssl 通过 SSL 连接到 Java 应用程序服务器。我们使用非阻塞套接字连接模式,可以选择“选择”或“轮询”机制来识别可供读取的数据包。

客户端已经正常工作了很长一段时间,但最近我们注意到一个问题,即响应被拆分为多个数据包,并且 SSL_read 仅返回一个字符“H”且 SSL_ERROR_NONE 和 SSL_pending 为零,因此我们的 SSL_read 循环以不完整的回应结束。在随后重新调用 SSL_read [as a hack] 时,我们得到以“TTP 1.1”开头的剩余响应。

由于 SSL_pending=0 和 SSL_get_error()=SSL_ERROR_NONE,我们找不到任何其他方法来知道是否还有更多数据要读取,从而结束仅读取一个字符的“SSL_read”循环。

Here is the relevant pseudo code... 

bool done=false;
int pending=1; bool inited=false;
bool want_read=false; bool want_write=false;
timeval tv;
String response; //internal class for string, legacy            
while(!done) {
if( !inited || want_read || want_write ) {
    try {
        /* Wait a few seconds. */
        if(!inited) {
            tv.tv_sec = timeOutValue.tv_sec;
            tv.tv_usec = timeOutValue.tv_usec;
        } else {
            tv.tv_sec = 0;
            tv.tv_usec = 500000; //hack to reduce the waiting period
        } 
                    #ifdef USE_POLL
            poll the socket
        #else
            call 'select' on the socket
        #endif
        inited=true;
        continue;
    } catch(const XSeption&) {
        close_socket(&sock);
        done=true;
        cout << "Error waiting on select/poll call" << endl;
        break;
    }
}

memset(temp, 0, BUFSIZE);
charsRead = SSL_read(ssl,temp, (sizeof(char)*BUFSIZE));
cout << endl << "charsRead = " << charsRead << endl;    

if(charsRead>0) {
    response.append(temp, charsRead);
}
cout << "Response : " << response << endl;

int sslerror = SSL_get_error(ssl,charsRead);
cout << "SSL_error_code = " << sslerror << endl;

pending=SSL_pending(ssl);
cout << "pending characters in the current SSL buffer : " << endl;

/*
if(charsRead==1) {
    memset(temp, 0, BUFSIZE);
    cout << "read only one character which is odd,hence reading again" << endl;
    charsRead = SSL_read(ssl,temp, (sizeof(char)*BUFSIZE));
    cout << endl << "charsRead in second read = " << charsRead << endl;
    if(charsRead>0) {
        response.append(temp, charsRead);
    }
    cout << "Second Response : " << response << endl;

    sslerror = SSL_get_error(ssl,charsRead);
    cout << "SSL_error_code = " << sslerror << endl;

    pending=SSL_pending(ssl);
    cout << "pending characters in the current SSL buffer : " << endl;
}
*/

switch(sslerror){

    case SSL_ERROR_NONE:
        cout << "No SSL Error" << endl;
        done=true; //ideally, we should mark the process completed here; but if mark this completed here, then we are getting only 1 character 'H'
        break;
    case SSL_ERROR_WANT_READ:
        cout << "In SSL_ERROR_WANT_READ" << endl;
        //SSLread Still pending
        want_read=true;
        //continue;
        break;

    case SSL_ERROR_WANT_WRITE:
        cout << "In SSL_ERROR_WANT_WRITE" << endl;
        //SSLread Still pending
        want_write=true;
        //continue;
        break;

    case SSL_ERROR_SSL:
        done=true;
        cout << "encountered SSL INTERNAL ERROR" << endl;
        close_socket(&sock);
        break;

    case SSL_ERROR_SYSCALL:
        done=true;
        cout << "encountered ERROR SYSCALL" << endl;
        close_socket(&sock);
        break;

    case SSL_ERROR_ZERO_RETURN:
        done=true;
        cout << "encountered SSL ZERO RETURN" << endl;
        close_socket(&sock);
        break;

    default:
        done=true;
        cout << "encountered default error" << endl;
        close_socket(&sock);
        break;
    } //end of switch  
} //end of while  

cout << "Final Response : " << response << endl;

那么,当 SSL_pending 返回零并且 SSL_get_error 是 SSL_ERROR_NONE 并且我不知道响应的字节数/字符数可以是多长时间时,我如何确定响应是完整的还是待处理的?

我的期望错了吗?即使我们提供了更大的缓冲区,为什么 SSL_read 第一次返回单个字符?

非常感谢这方面的任何帮助......

更新:

while(!done) {
currentTime = getTime();
tval.tv_sec = timeOutValue.tv_sec - (currentTime - beginTime);
tval.tv_usec = timeOutValue.tv_usec;
if ( tval.tv_sec <= 0 ) //the allotted time for processing this request has elapsed
{
    //do not close the socket or SSL session since this is just a timeout issue
    throw Exception::TIMEOUT);
}

#ifdef USE_POLL
    fds.fd = sock;
    fds.events = POLLIN;
#else
    FD_ZERO(&rset);
    FD_SET(sock, &rset);
#endif

if(!inited || want_read || want_write) {
    timeval tv;
    /*
    When we first enter this method or for NON-SSL requests, we would wait till the SELECT call returns a ready file-descriptor but in the case of a SSL requests processing the response message , we just issue SELECT with 0(zero) or very little timeout since SSL_read is giving us a common error code for actual need to check at the socket (SELECT/POLL) and the need to call SSL_read again, if we can find a way to differentiate the need to call SELECT/POLL Vs invoke SSL_read, then this if-else construct needs to be removed and we can then use the complete remaining time for timeout parameter in SELECT/POLL call even for SSL requests
    */
    if(!inited ) {
        tv.tv_sec=tval.tv_sec;
        tv.tv_usec=tval.tv_usec;
    } else {
        tv.tv_sec=0;
        tv.tv_usec=1000;
    }
    try {
        #ifdef USE_POLL
            poll_call(&fds, 1, &tv);
        #else
            select_call(sock+1, &rset, NULL, NULL, &tv);
        #endif
    } catch(const Exception&) {
        /*
        do not close the socket or throw exception; the socket will be closed only if an error occurs or if the server itself the closed the connection
        */
    }
    inited=true;
    want_read=false;
    want_write=false;
}

memset(temp, 0, BUFSIZE);

charsRead = openSSL->SSLread(temp, (sizeof(char)*BUFSIZE));
if(charsRead>0) {
    response.append(temp, charsRead);
    done=is_response_complete(response);
} else {
    int sslerror=openSSL->SSLgetErrorCode(charsRead);
    switch(sslerror){

        case SSL_ERROR_NONE:
            break;

        case SSL_ERROR_WANT_READ:
            want_read=true;
            break;

        case SSL_ERROR_WANT_WRITE:
            want_write=true;
            break;

        case SSL_ERROR_SSL:
            close(openSSL, Exception::SSL_CONNECTION_PROBLEM, 
                    ErrorDescription(sslerror));
            break;

        case SSL_ERROR_SYSCALL:
            close(openSSL,Exception::SERVER_CONNECTION_PROBLEM,
                    ErrorDescription(sslerror));
            break;

        case SSL_ERROR_ZERO_RETURN:
        default:
            close(openSSL,Exception::SSL_CONNECTION_PROBLEM,
                        ErrorDescription(sslerror));
            break;
    } //end of switch
} //end off ssl_error check
}
4

3 回答 3

3

使用 OpenSSL,正常的过程被反转了;

  • 使用普通套接字,select()直到它说套接字是可读或可写的。

  • 使用 SSL 套接字,您可以读取和写入,直到它们返回 SSL_ERROR_WANT_READ/WRITE。只有这样你才打电话select()

“由于 SSL_pending=0 和 SSL_get_error()=SSL_ERROR_NONE,我们找不到任何其他方法来知道是否还有更多数据要读取”

所以你应该假设在你得到 SSL_ERROR_WANT_READ 之前总是有更多的数据要读取。OpenSSL 不是告诉您有更多数据要读取,而是告诉您WANT_READ/WANT_WRITE没有更多数据要读取。

我在我的应用程序中看到了相同的行为;当我执行 时SSL_read,我得到 1 个字节:

G

因为我没有得到 a WANT_READ/WRITE,所以我再次执行 SSL_read 并得到其余数据

ET /index.html HTTP/1.1
Host: etc etc

我继续这样做,直到我得到 WANT_READ/WRITE,然后我等待,select()因为 OpenSSL 说要这样做。

于 2013-01-11T15:51:06.267 回答
3

我也看到了这种行为。处理它的正确方法是您的应用程序应该随时期待任何数量的数据......它是数据的“流”,而不是打包的请求/响应。识别“完整请求/响应”的唯一方法是在应用程序级别对其进行解析。如果您没有完整的数据,请将其缓冲并等待更多数据。传输机制不能也不会告诉你......它只是说“嘿,我有数据”。

于 2012-11-09T12:58:31.653 回答
1

当您通过非阻塞 BIO 读取时,不能保证您将收到所有预期的数据+只需一次调用SSL_read().

因此,可能需要SSL_read()再次调用多次,直到您期望的所有数据都读取,或连接已关闭,或发生错误。

为此,您可以在-loopSSL_read()内部调用.whileselect()

(+) 传输层不知道实际预计要传输多少数据。这要么是(发送方和接收方)都知道的,要么协商需要是应用程序级协议的一部分。

于 2012-11-12T10:39:21.223 回答