Check-in [1b7959d27a]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Made repeated failures to handshake return fatal errors and made handshake code use the same logic as the rest of the OpenSSL read error checking
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1:1b7959d27a6a7279dd1528df51829142d9b37a66
User & Date: rkeene 2016-12-13 15:43:19
Context
2016-12-13
16:00
Updated to return soft errors on during SSL negotiation retries on reads and hard errors on SSL negotiation during writes or handshake commands check-in: b9557ba691 user: rkeene tags: trunk
15:43
Made repeated failures to handshake return fatal errors and made handshake code use the same logic as the rest of the OpenSSL read error checking check-in: 1b7959d27a user: rkeene tags: trunk
15:29
Reverted [f79122ae17] check-in: 50d8da007b user: rkeene tags: trunk
Changes

Changes to tlsIO.c.

   806    806   	if (!(statePtr->flags & TLS_TCL_INIT)) {
   807    807   		dprintf("Tls_WaitForConnect called on already initialized channel -- returning with immediate success");
   808    808   		*errorCodePtr = 0;
   809    809   		return(0);
   810    810   	}
   811    811   
   812    812   	if (statePtr->flags & TLS_TCL_HANDSHAKE_FAILED) {
          813  +		dprintf("Asked to wait for a TLS handshake that has already failed.  Returning fatal error");
   813    814   		/*
   814         -		 * We choose ECONNRESET over ECONNABORTED here because some server
   815         -		 * side code, on the wiki for example, sets up a read handler that
   816         -		 * does a read and if eof closes the channel. There is no catch/try
   817         -		 * around the reads so exceptions will result in potentially many
   818         -		 * dangling channels hanging around that should have been closed.
   819         -		 * (Backgroun: ECONNABORTED maps to a Tcl exception and 
   820         -		 * ECONNRESET maps to graceful EOF).
          815  +		 * If we get here, we've already returned a soft-failure once.
          816  +		 * Return a hard failure now.
   821    817   		 */
   822         -		*errorCodePtr = ECONNRESET;
          818  +		*errorCodePtr = ECONNABORTED;
   823    819   		return(-1);
   824    820   	}
   825    821   
   826    822   	for (;;) {
   827    823   		/* Not initialized yet! */
   828    824   		if (statePtr->flags & TLS_TCL_SERVER) {
   829    825   			dprintf("Calling SSL_accept()");
................................................................................
   893    889   			dprintf("The connection is up");
   894    890   			break;
   895    891   		case SSL_ERROR_ZERO_RETURN:
   896    892   			dprintf("SSL_ERROR_ZERO_RETURN: Connect returned an invalid value...")
   897    893   			return(-1);
   898    894   		case SSL_ERROR_SYSCALL:
   899    895   			backingError = ERR_get_error();
   900         -			dprintf("I/O error occured");
   901    896   
   902    897   			if (backingError == 0 && err == 0) {
   903    898   				dprintf("EOF reached")
          899  +				*errorCodePtr = ECONNRESET;
          900  +			} else if (backingError == 0 && err == -1) {
          901  +				dprintf("I/O error occured (errno = %lu)", (unsigned long) Tcl_GetErrno());
          902  +				*errorCodePtr = Tcl_GetErrno();
          903  +				if (*errorCodePtr == ECONNRESET) {
          904  +					*errorCodePtr = ECONNABORTED;
          905  +				}
          906  +			} else {
          907  +				dprintf("I/O error occured (backingError = %lu)", backingError);
          908  +				*errorCodePtr = backingError;
          909  +				if (*errorCodePtr == ECONNRESET) {
          910  +					*errorCodePtr = ECONNABORTED;
          911  +				}
   904    912   			}
   905    913   
   906    914   			statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED;
   907         -			*errorCodePtr = ECONNRESET;
          915  +
   908    916   			return(-1);
   909    917   		case SSL_ERROR_SSL:
   910    918   			dprintf("Got permanent fatal SSL error, aborting immediately");
   911    919   			Tls_Error(statePtr, (char *)ERR_reason_error_string(ERR_get_error()));
   912    920   			statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED;
   913    921   			*errorCodePtr = ECONNABORTED;
   914    922   			return(-1);