From ea50c8722cfa792355e2e15436f193e08b0fd173 Mon Sep 17 00:00:00 2001 From: Wojtek Kaniewski Date: Thu, 19 Dec 2019 21:45:54 +0100 Subject: [PATCH] openssl: handle negotiation errors handling in client If a client connects to a SSL server and the server sends handshake alert (e.g. no matching ciphers) SSL_connect() fails, but because SSL_ERROR_SSL return value is not handled, it's not considered a failure. SSL_want_read() will return 1 and the client will happily wait for more data from the server. Now if the server closes connection after sending handshake alert, POLLIN event will be triggered, lws_tls_client_connect() called again, but SSL_connect() will fail without calling read(), so the client will end up consuming 100% CPU because POLLIN will be triggered repeatedly. Similar error handling is used in lws_tls_server_accept() and the condition checks for SSL_ERROR_SSL. Using the same condition in lws_tls_client_connect() fixes the problem. Tested with OpenSSL 1.0.2k. --- lib/tls/openssl/openssl-client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/tls/openssl/openssl-client.c b/lib/tls/openssl/openssl-client.c index 96f4fdb03..a8ea728fc 100644 --- a/lib/tls/openssl/openssl-client.c +++ b/lib/tls/openssl/openssl-client.c @@ -380,7 +380,7 @@ lws_tls_client_connect(struct lws *wsi) m = lws_ssl_get_error(wsi, n); - if (m == SSL_ERROR_SYSCALL) + if (m == SSL_ERROR_SYSCALL || m == SSL_ERROR_SSL) return LWS_SSL_CAPABLE_ERROR; if (m == SSL_ERROR_WANT_READ || SSL_want_read(wsi->tls.ssl))