From fd70c1ac81ecd089f3ac8ead26225df9e098b721 Mon Sep 17 00:00:00 2001 From: Wojtek Kaniewski Date: Thu, 19 Dec 2019 21:45:54 +0100 Subject: [PATCH] openssl: handle negotiation errors handling in client If a client connects to a SSL server and the server sends handshake alert (e.g. no matching ciphers) SSL_connect() fails, but because SSL_ERROR_SSL return value is not handled, it's not considered a failure. SSL_want_read() will return 1 and the client will happily wait for more data from the server. Now if the server closes connection after sending handshake alert, POLLIN event will be triggered, lws_tls_client_connect() called again, but SSL_connect() will fail without calling read(), so the client will end up consuming 100% CPU because POLLIN will be triggered repeatedly. Similar error handling is used in lws_tls_server_accept() and the condition checks for SSL_ERROR_SSL. Using the same condition in lws_tls_client_connect() fixes the problem. Tested with OpenSSL 1.0.2k. --- lib/tls/openssl/openssl-client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/tls/openssl/openssl-client.c b/lib/tls/openssl/openssl-client.c index 47a6fbc5e..12af37103 100644 --- a/lib/tls/openssl/openssl-client.c +++ b/lib/tls/openssl/openssl-client.c @@ -309,7 +309,7 @@ lws_tls_client_connect(struct lws *wsi) m = lws_ssl_get_error(wsi, n); - if (m == SSL_ERROR_SYSCALL) + if (m == SSL_ERROR_SYSCALL || m == SSL_ERROR_SSL) return LWS_SSL_CAPABLE_ERROR; if (m == SSL_ERROR_WANT_READ || SSL_want_read(wsi->tls.ssl))