[thirdparty/openssl.git] / doc / man3 / SSL_get_error.pod

=pod

=head1 NAME

SSL_get_error - obtain result code for TLS/SSL I/O operation

=head1 SYNOPSIS

 #include <openssl/ssl.h>

 int SSL_get_error(const SSL *ssl, int ret);

=head1 DESCRIPTION

SSL_get_error() returns a result code (suitable for the C "switch"
statement) for a preceding call to SSL_connect(), SSL_accept(), SSL_do_handshake(),
SSL_read_ex(), SSL_read(), SSL_peek_ex(), SSL_peek(), SSL_shutdown(),
SSL_write_ex() or SSL_write() on B<ssl>.  The value returned by that TLS/SSL I/O
function must be passed to SSL_get_error() in parameter B<ret>.

In addition to B<ssl> and B<ret>, SSL_get_error() inspects the
current thread's OpenSSL error queue.  Thus, SSL_get_error() must be
used in the same thread that performed the TLS/SSL I/O operation, and no
other OpenSSL function calls should appear in between.  The current
thread's error queue must be empty before the TLS/SSL I/O operation is
attempted, or SSL_get_error() will not work reliably.

=head1 RETURN VALUES

The following return values can currently occur:

=over 4

=item SSL_ERROR_NONE

The TLS/SSL I/O operation completed.  This result code is returned
if and only if B<ret E<gt> 0>.

=item SSL_ERROR_ZERO_RETURN

The TLS/SSL peer has closed the connection for writing by sending the
close_notify alert.
No more data can be read.
Note that B<SSL_ERROR_ZERO_RETURN> does not necessarily
indicate that the underlying transport has been closed.

=item SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE

The operation did not complete and can be retried later.

B<SSL_ERROR_WANT_READ> is returned when the last operation was a read
operation from a non-blocking B<BIO>.
It means that not enough data was available at this time to complete the
operation.
If at a later time the underlying B<BIO> has data available for reading the same
function can be called again.

SSL_read() and SSL_read_ex() can also set B<SSL_ERROR_WANT_READ> when there is
still unprocessed data available at either the B<SSL> or the B<BIO> layer, even
for a blocking B<BIO>.
See L<SSL_read(3)> for more information.

B<SSL_ERROR_WANT_WRITE> is returned when the last operation was a write
to a non-blocking B<BIO> and it was unable to sent all data to the B<BIO>.
When the B<BIO> is writeable again, the same function can be called again.

Note that the retry may again lead to an B<SSL_ERROR_WANT_READ> or
B<SSL_ERROR_WANT_WRITE> condition.
There is no fixed upper limit for the number of iterations that
may be necessary until progress becomes visible at application
protocol level.

It is safe to call SSL_read() or SSL_read_ex() when more data is available
even when the call that set this error was an SSL_write() or SSL_write_ex().
However if the call was an SSL_write() or SSL_write_ex(), it should be called
again to continue sending the application data.

For socket B<BIO>s (e.g. when SSL_set_fd() was used), select() or
poll() on the underlying socket can be used to find out when the
TLS/SSL I/O function should be retried.

Caveat: Any TLS/SSL I/O function can lead to either of
B<SSL_ERROR_WANT_READ> and B<SSL_ERROR_WANT_WRITE>.
In particular,
SSL_read_ex(), SSL_read(), SSL_peek_ex(), or SSL_peek() may want to write data
and SSL_write() or SSL_write_ex() may want to read data.
This is mainly because
TLS/SSL handshakes may occur at any time during the protocol (initiated by
either the client or the server); SSL_read_ex(), SSL_read(), SSL_peek_ex(),
SSL_peek(), SSL_write_ex(), and SSL_write() will handle any pending handshakes.

=item SSL_ERROR_WANT_CONNECT, SSL_ERROR_WANT_ACCEPT

The operation did not complete; the same TLS/SSL I/O function should be
called again later. The underlying BIO was not connected yet to the peer
and the call would block in connect()/accept(). The SSL function should be
called again when the connection is established. These messages can only
appear with a BIO_s_connect() or BIO_s_accept() BIO, respectively.
In order to find out, when the connection has been successfully established,
on many platforms select() or poll() for writing on the socket file descriptor
can be used.

=item SSL_ERROR_WANT_X509_LOOKUP

The operation did not complete because an application callback set by
SSL_CTX_set_client_cert_cb() has asked to be called again.
The TLS/SSL I/O function should be called again later.
Details depend on the application.

=item SSL_ERROR_WANT_ASYNC

The operation did not complete because an asynchronous engine is still
processing data. This will only occur if the mode has been set to SSL_MODE_ASYNC
using L<SSL_CTX_set_mode(3)> or L<SSL_set_mode(3)> and an asynchronous capable
engine is being used. An application can determine whether the engine has
completed its processing using select() or poll() on the asynchronous wait file
descriptor. This file descriptor is available by calling
L<SSL_get_all_async_fds(3)> or L<SSL_get_changed_async_fds(3)>. The TLS/SSL I/O
function should be called again later. The function B<must> be called from the
same thread that the original call was made from.

=item SSL_ERROR_WANT_ASYNC_JOB

The asynchronous job could not be started because there were no async jobs
available in the pool (see ASYNC_init_thread(3)). This will only occur if the
mode has been set to SSL_MODE_ASYNC using L<SSL_CTX_set_mode(3)> or
L<SSL_set_mode(3)> and a maximum limit has been set on the async job pool
through a call to L<ASYNC_init_thread(3)>. The application should retry the
operation after a currently executing asynchronous operation for the current
thread has completed.

=item SSL_ERROR_WANT_CLIENT_HELLO_CB

The operation did not complete because an application callback set by
SSL_CTX_set_client_hello_cb() has asked to be called again.
The TLS/SSL I/O function should be called again later.
Details depend on the application.

=item SSL_ERROR_SYSCALL

Some non-recoverable, fatal I/O error occurred. The OpenSSL error queue may
contain more information on the error. For socket I/O on Unix systems, consult
B<errno> for details. If this error occurs then no further I/O operations should
be performed on the connection and SSL_shutdown() must not be called.

This value can also be returned for other errors, check the error queue for
details.

=item SSL_ERROR_SSL

A non-recoverable, fatal error in the SSL library occurred, usually a protocol
error.  The OpenSSL error queue contains more information on the error. If this
error occurs then no further I/O operations should be performed on the
connection and SSL_shutdown() must not be called.

=back

=head1 SEE ALSO

L<ssl(7)>

=head1 HISTORY

The SSL_ERROR_WANT_ASYNC error code was added in OpenSSL 1.1.0.
The SSL_ERROR_WANT_CLIENT_HELLO_CB error code was added in OpenSSL 1.1.1.

=head1 COPYRIGHT

Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
Commit	Line	Data
a598cd1a BM	1	=pod
	2
	3	=head1 NAME
	4
1e4e5492	5	SSL_get_error - obtain result code for TLS/SSL I/O operation
a598cd1a BM	6
	7	=head1 SYNOPSIS
	8
	9	#include <openssl/ssl.h>
	10
c3e64028	11	int SSL_get_error(const SSL *ssl, int ret);
a598cd1a BM	12
	13	=head1 DESCRIPTION
	14
	15	SSL_get_error() returns a result code (suitable for the C "switch"
02750ff5	16	statement) for a preceding call to SSL_connect(), SSL_accept(), SSL_do_handshake(),
df9fd168 MR	17	SSL_read_ex(), SSL_read(), SSL_peek_ex(), SSL_peek(), SSL_shutdown(),
	18	SSL_write_ex() or SSL_write() on B<ssl>. The value returned by that TLS/SSL I/O
	19	function must be passed to SSL_get_error() in parameter B<ret>.
a598cd1a BM	20
	21	In addition to B<ssl> and B<ret>, SSL_get_error() inspects the
	22	current thread's OpenSSL error queue. Thus, SSL_get_error() must be
1e4e5492	23	used in the same thread that performed the TLS/SSL I/O operation, and no
f5a8d678	24	other OpenSSL function calls should appear in between. The current
1e4e5492	25	thread's error queue must be empty before the TLS/SSL I/O operation is
a598cd1a BM	26	attempted, or SSL_get_error() will not work reliably.
	27
	28	=head1 RETURN VALUES
	29
	30	The following return values can currently occur:
	31
	32	=over 4
	33
	34	=item SSL_ERROR_NONE
	35
1e4e5492	36	The TLS/SSL I/O operation completed. This result code is returned
f5a8d678	37	if and only if B<ret E<gt> 0>.
a598cd1a BM	38
	39	=item SSL_ERROR_ZERO_RETURN
	40
2f6f913e	41	The TLS/SSL peer has closed the connection for writing by sending the
8e593f0a	42	close_notify alert.
2f6f913e KR	43	No more data can be read.
2f6f913e KR	44	Note that B<SSL_ERROR_ZERO_RETURN> does not necessarily
beacb0f0	45	indicate that the underlying transport has been closed.
a598cd1a BM	46
	47	=item SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE
	48
57fd5170 KR	49	The operation did not complete and can be retried later.
	50
	51	B<SSL_ERROR_WANT_READ> is returned when the last operation was a read
	52	operation from a non-blocking B<BIO>.
	53	It means that not enough data was available at this time to complete the
	54	operation.
	55	If at a later time the underlying B<BIO> has data available for reading the same
	56	function can be called again.
	57
	58	SSL_read() and SSL_read_ex() can also set B<SSL_ERROR_WANT_READ> when there is
	59	still unprocessed data available at either the B<SSL> or the B<BIO> layer, even
	60	for a blocking B<BIO>.
	61	See L<SSL_read(3)> for more information.
	62
	63	B<SSL_ERROR_WANT_WRITE> is returned when the last operation was a write
	64	to a non-blocking B<BIO> and it was unable to sent all data to the B<BIO>.
	65	When the B<BIO> is writeable again, the same function can be called again.
	66
	67	Note that the retry may again lead to an B<SSL_ERROR_WANT_READ> or
	68	B<SSL_ERROR_WANT_WRITE> condition.
2984b0ae BM	69	There is no fixed upper limit for the number of iterations that
	70	may be necessary until progress becomes visible at application
	71	protocol level.
	72
57fd5170 KR	73	It is safe to call SSL_read() or SSL_read_ex() when more data is available
	74	even when the call that set this error was an SSL_write() or SSL_write_ex().
	75	However if the call was an SSL_write() or SSL_write_ex(), it should be called
	76	again to continue sending the application data.
	77
2984b0ae BM	78	For socket B<BIO>s (e.g. when SSL_set_fd() was used), select() or
	79	poll() on the underlying socket can be used to find out when the
	80	TLS/SSL I/O function should be retried.
a598cd1a	81
37b08e83	82	Caveat: Any TLS/SSL I/O function can lead to either of
57fd5170 KR	83	B<SSL_ERROR_WANT_READ> and B<SSL_ERROR_WANT_WRITE>.
57fd5170 KR	84	In particular,
6782e5fd	85	SSL_read_ex(), SSL_read(), SSL_peek_ex(), or SSL_peek() may want to write data
57fd5170 KR	86	and SSL_write() or SSL_write_ex() may want to read data.
57fd5170 KR	87	This is mainly because
7714dc5e MC	88	TLS/SSL handshakes may occur at any time during the protocol (initiated by
7714dc5e MC	89	either the client or the server); SSL_read_ex(), SSL_read(), SSL_peek_ex(),
6782e5fd	90	SSL_peek(), SSL_write_ex(), and SSL_write() will handle any pending handshakes.
a598cd1a	91
74daa124 LJ	92	=item SSL_ERROR_WANT_CONNECT, SSL_ERROR_WANT_ACCEPT
	93
	94	The operation did not complete; the same TLS/SSL I/O function should be
	95	called again later. The underlying BIO was not connected yet to the peer
	96	and the call would block in connect()/accept(). The SSL function should be
	97	called again when the connection is established. These messages can only
	98	appear with a BIO_s_connect() or BIO_s_accept() BIO, respectively.
	99	In order to find out, when the connection has been successfully established,
	100	on many platforms select() or poll() for writing on the socket file descriptor
	101	can be used.
	102
a598cd1a BM	103	=item SSL_ERROR_WANT_X509_LOOKUP
	104
	105	The operation did not complete because an application callback set by
	106	SSL_CTX_set_client_cert_cb() has asked to be called again.
37b08e83	107	The TLS/SSL I/O function should be called again later.
a598cd1a BM	108	Details depend on the application.
a598cd1a BM	109
bc8857bf MC	110	=item SSL_ERROR_WANT_ASYNC
	111
	112	The operation did not complete because an asynchronous engine is still
	113	processing data. This will only occur if the mode has been set to SSL_MODE_ASYNC
	114	using L<SSL_CTX_set_mode(3)> or L<SSL_set_mode(3)> and an asynchronous capable
	115	engine is being used. An application can determine whether the engine has
	116	completed its processing using select() or poll() on the asynchronous wait file
	117	descriptor. This file descriptor is available by calling
c0e32b16 MC	118	L<SSL_get_all_async_fds(3)> or L<SSL_get_changed_async_fds(3)>. The TLS/SSL I/O
	119	function should be called again later. The function B<must> be called from the
	120	same thread that the original call was made from.
bc8857bf	121
fc7f190c MC	122	=item SSL_ERROR_WANT_ASYNC_JOB
	123
	124	The asynchronous job could not be started because there were no async jobs
	125	available in the pool (see ASYNC_init_thread(3)). This will only occur if the
	126	mode has been set to SSL_MODE_ASYNC using L<SSL_CTX_set_mode(3)> or
	127	L<SSL_set_mode(3)> and a maximum limit has been set on the async job pool
	128	through a call to L<ASYNC_init_thread(3)>. The application should retry the
	129	operation after a currently executing asynchronous operation for the current
	130	thread has completed.
	131
a9c0d8be	132	=item SSL_ERROR_WANT_CLIENT_HELLO_CB
6b1bb98f BK	133
6b1bb98f BK	134	The operation did not complete because an application callback set by
a9c0d8be	135	SSL_CTX_set_client_hello_cb() has asked to be called again.
6b1bb98f BK	136	The TLS/SSL I/O function should be called again later.
	137	Details depend on the application.
	138
a598cd1a BM	139	=item SSL_ERROR_SYSCALL
a598cd1a BM	140
f4800345 MC	141	Some non-recoverable, fatal I/O error occurred. The OpenSSL error queue may
	142	contain more information on the error. For socket I/O on Unix systems, consult
	143	B<errno> for details. If this error occurs then no further I/O operations should
	144	be performed on the connection and SSL_shutdown() must not be called.
a598cd1a	145
57fd5170 KR	146	This value can also be returned for other errors, check the error queue for
	147	details.
	148
a598cd1a BM	149	=item SSL_ERROR_SSL
a598cd1a BM	150
f4800345 MC	151	A non-recoverable, fatal error in the SSL library occurred, usually a protocol
	152	error. The OpenSSL error queue contains more information on the error. If this
	153	error occurs then no further I/O operations should be performed on the
	154	connection and SSL_shutdown() must not be called.
a598cd1a BM	155
	156	=back
	157
	158	=head1 SEE ALSO
	159
73fb82b7	160	L<ssl(7)>
a598cd1a	161
bc8857bf MC	162	=head1 HISTORY
bc8857bf MC	163
fc5ecadd DMSP	164	The SSL_ERROR_WANT_ASYNC error code was added in OpenSSL 1.1.0.
fc5ecadd DMSP	165	The SSL_ERROR_WANT_CLIENT_HELLO_CB error code was added in OpenSSL 1.1.1.
bc8857bf	166
e2f92610 RS	167	=head1 COPYRIGHT
e2f92610 RS	168
c4d3c19b	169	Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
e2f92610	170
4746f25a	171	Licensed under the Apache License 2.0 (the "License"). You may not use
e2f92610 RS	172	this file except in compliance with the License. You can obtain a copy
	173	in the file LICENSE in the source distribution or at
	174	L<https://www.openssl.org/source/license.html>.
	175
	176	=cut