当response跨数据包拆分但SSL_pending为零且SSL_get_error返回SSL_ERROR_NONE时，如何确定是否有更多数据需要读取

Question

我们有一个用C++编写的客户端应用程序，它使用openssl通过SSL连接到Java应用服务器。我们使用带选项的非阻塞套接字连接模式来选择“选择”或“轮询”机制来识别可供读取的数据包。

客户端已经正常工作了很长一段时间，但最近我们注意到一个问题，响应被分成多个数据包，SSL_read只返回一个字符'H‘，SSL_ERROR_NONE和SSL_pending为零，这导致我们的SSL_read循环以不完整的响应结束。在随后作为黑客重新调用SSL_read时，我们得到了从‘TTP1.1’开始的剩余响应。

由于SSL_pending=0和SSL_get_error()=SSL_ERROR_NONE，我们找不到任何其他方法来知道是否有更多的数据需要读取，从而结束只读取一个字符的'SSL_read‘循环。

Here is the relevant pseudo code... 

bool done=false;
int pending=1; bool inited=false;
bool want_read=false; bool want_write=false;
timeval tv;
String response; //internal class for string, legacy            
while(!done) {
if( !inited || want_read || want_write ) {
    try {
        /* Wait a few seconds. */
        if(!inited) {
            tv.tv_sec = timeOutValue.tv_sec;
            tv.tv_usec = timeOutValue.tv_usec;
        } else {
            tv.tv_sec = 0;
            tv.tv_usec = 500000; //hack to reduce the waiting period
        } 
                    #ifdef USE_POLL
            poll the socket
        #else
            call 'select' on the socket
        #endif
        inited=true;
        continue;
    } catch(const XSeption&) {
        close_socket(&sock);
        done=true;
        cout << "Error waiting on select/poll call" << endl;
        break;
    }
}

memset(temp, 0, BUFSIZE);
charsRead = SSL_read(ssl,temp, (sizeof(char)*BUFSIZE));
cout << endl << "charsRead = " << charsRead << endl;    

if(charsRead>0) {
    response.append(temp, charsRead);
}
cout << "Response : " << response << endl;

int sslerror = SSL_get_error(ssl,charsRead);
cout << "SSL_error_code = " << sslerror << endl;

pending=SSL_pending(ssl);
cout << "pending characters in the current SSL buffer : " << endl;

/*
if(charsRead==1) {
    memset(temp, 0, BUFSIZE);
    cout << "read only one character which is odd,hence reading again" << endl;
    charsRead = SSL_read(ssl,temp, (sizeof(char)*BUFSIZE));
    cout << endl << "charsRead in second read = " << charsRead << endl;
    if(charsRead>0) {
        response.append(temp, charsRead);
    }
    cout << "Second Response : " << response << endl;

    sslerror = SSL_get_error(ssl,charsRead);
    cout << "SSL_error_code = " << sslerror << endl;

    pending=SSL_pending(ssl);
    cout << "pending characters in the current SSL buffer : " << endl;
}
*/

switch(sslerror){

    case SSL_ERROR_NONE:
        cout << "No SSL Error" << endl;
        done=true; //ideally, we should mark the process completed here; but if mark this completed here, then we are getting only 1 character 'H'
        break;
    case SSL_ERROR_WANT_READ:
        cout << "In SSL_ERROR_WANT_READ" << endl;
        //SSLread Still pending
        want_read=true;
        //continue;
        break;

    case SSL_ERROR_WANT_WRITE:
        cout << "In SSL_ERROR_WANT_WRITE" << endl;
        //SSLread Still pending
        want_write=true;
        //continue;
        break;

    case SSL_ERROR_SSL:
        done=true;
        cout << "encountered SSL INTERNAL ERROR" << endl;
        close_socket(&sock);
        break;

    case SSL_ERROR_SYSCALL:
        done=true;
        cout << "encountered ERROR SYSCALL" << endl;
        close_socket(&sock);
        break;

    case SSL_ERROR_ZERO_RETURN:
        done=true;
        cout << "encountered SSL ZERO RETURN" << endl;
        close_socket(&sock);
        break;

    default:
        done=true;
        cout << "encountered default error" << endl;
        close_socket(&sock);
        break;
    } //end of switch  
} //end of while  

cout << "Final Response : " << response << endl;  

那么，当SSL_pending返回0，SSL_get_error为SSL_ERROR_NONE，并且我不知道响应可以有多长时，我如何确定响应是完成的还是挂起的？

我的期望是错误的吗？为什么SSL_read第一次返回单个字符，即使我们提供了更大的缓冲区？

在这方面的任何帮助都是非常感谢的。

更新：

while(!done) {
currentTime = getTime();
tval.tv_sec = timeOutValue.tv_sec - (currentTime - beginTime);
tval.tv_usec = timeOutValue.tv_usec;
if ( tval.tv_sec <= 0 ) //the allotted time for processing this request has elapsed
{
    //do not close the socket or SSL session since this is just a timeout issue
    throw Exception::TIMEOUT);
}

#ifdef USE_POLL
    fds.fd = sock;
    fds.events = POLLIN;
#else
    FD_ZERO(&rset);
    FD_SET(sock, &rset);
#endif

if(!inited || want_read || want_write) {
    timeval tv;
    /*
    When we first enter this method or for NON-SSL requests, we would wait till the SELECT call returns a ready file-descriptor but in the case of a SSL requests processing the response message , we just issue SELECT with 0(zero) or very little timeout since SSL_read is giving us a common error code for actual need to check at the socket (SELECT/POLL) and the need to call SSL_read again, if we can find a way to differentiate the need to call SELECT/POLL Vs invoke SSL_read, then this if-else construct needs to be removed and we can then use the complete remaining time for timeout parameter in SELECT/POLL call even for SSL requests
    */
    if(!inited ) {
        tv.tv_sec=tval.tv_sec;
        tv.tv_usec=tval.tv_usec;
    } else {
        tv.tv_sec=0;
        tv.tv_usec=1000;
    }
    try {
        #ifdef USE_POLL
            poll_call(&fds, 1, &tv);
        #else
            select_call(sock+1, &rset, NULL, NULL, &tv);
        #endif
    } catch(const Exception&) {
        /*
        do not close the socket or throw exception; the socket will be closed only if an error occurs or if the server itself the closed the connection
        */
    }
    inited=true;
    want_read=false;
    want_write=false;
}

memset(temp, 0, BUFSIZE);

charsRead = openSSL->SSLread(temp, (sizeof(char)*BUFSIZE));
if(charsRead>0) {
    response.append(temp, charsRead);
    done=is_response_complete(response);
} else {
    int sslerror=openSSL->SSLgetErrorCode(charsRead);
    switch(sslerror){

        case SSL_ERROR_NONE:
            break;

        case SSL_ERROR_WANT_READ:
            want_read=true;
            break;

        case SSL_ERROR_WANT_WRITE:
            want_write=true;
            break;

        case SSL_ERROR_SSL:
            close(openSSL, Exception::SSL_CONNECTION_PROBLEM, 
                    ErrorDescription(sslerror));
            break;

        case SSL_ERROR_SYSCALL:
            close(openSSL,Exception::SERVER_CONNECTION_PROBLEM,
                    ErrorDescription(sslerror));
            break;

        case SSL_ERROR_ZERO_RETURN:
        default:
            close(openSSL,Exception::SSL_CONNECTION_PROBLEM,
                        ErrorDescription(sslerror));
            break;
    } //end of switch
} //end off ssl_error check
}

Answer 1

我也看到过这种行为。处理它的正确方法是你的应用程序应该在任何时候期待任何数量的数据……它是一个数据流，而不是打包的请求/响应。识别“完整请求/响应”的唯一方法是在应用程序级别对其进行解析。如果你没有一个完整的，缓冲它并等待更多的数据。传输机制不能也不会告诉你...它只是说“嘿，我有数据”。

Answer 2

有了OpenSSL，正常的过程被颠倒了；

对于普通的套接字，你需要读写，直到它显示该套接字是可读或可写的。对于SSL套接字，你可以读写，直到它们返回_

• _ select() _

/

• 。只有这样才能调用select().

由于SSL_pending=0和SSL_get_error()=SSL_ERROR_NONE，我们找不到任何其他方法来了解是否有更多数据要读取

因此，您应该假设在获得SSL_ERROR_WANT_READ之前，总是有更多的数据需要读取。OpenSSL不是告诉您有更多的数据要读取，而是使用WANT_READ/WANT_WRITE告诉您没有更多的数据要读取。

我在我的应用程序中看到了同样的行为；当我执行SSL_read时，我会得到1个字节：

G

因为我没有得到WANT_READ/WRITE，所以我再次执行SSL_read，然后我得到了其余的数据

ET /index.html HTTP/1.1
Host: etc etc

我继续这样做，直到我得到WANT_READ/WRITE，然后我等待select()，因为OpenSSL说要这样做。