]>
Commit | Line | Data |
---|---|---|
a598cd1a BM |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
1e4e5492 | 5 | SSL_get_error - obtain result code for TLS/SSL I/O operation |
a598cd1a BM |
6 | |
7 | =head1 SYNOPSIS | |
8 | ||
9 | #include <openssl/ssl.h> | |
10 | ||
c3e64028 | 11 | int SSL_get_error(const SSL *ssl, int ret); |
a598cd1a BM |
12 | |
13 | =head1 DESCRIPTION | |
14 | ||
15 | SSL_get_error() returns a result code (suitable for the C "switch" | |
02750ff5 | 16 | statement) for a preceding call to SSL_connect(), SSL_accept(), SSL_do_handshake(), |
df9fd168 MR |
17 | SSL_read_ex(), SSL_read(), SSL_peek_ex(), SSL_peek(), SSL_shutdown(), |
18 | SSL_write_ex() or SSL_write() on B<ssl>. The value returned by that TLS/SSL I/O | |
19 | function must be passed to SSL_get_error() in parameter B<ret>. | |
a598cd1a BM |
20 | |
21 | In addition to B<ssl> and B<ret>, SSL_get_error() inspects the | |
22 | current thread's OpenSSL error queue. Thus, SSL_get_error() must be | |
1e4e5492 | 23 | used in the same thread that performed the TLS/SSL I/O operation, and no |
f5a8d678 | 24 | other OpenSSL function calls should appear in between. The current |
1e4e5492 | 25 | thread's error queue must be empty before the TLS/SSL I/O operation is |
a598cd1a BM |
26 | attempted, or SSL_get_error() will not work reliably. |
27 | ||
28 | =head1 RETURN VALUES | |
29 | ||
30 | The following return values can currently occur: | |
31 | ||
32 | =over 4 | |
33 | ||
34 | =item SSL_ERROR_NONE | |
35 | ||
1e4e5492 | 36 | The TLS/SSL I/O operation completed. This result code is returned |
f5a8d678 | 37 | if and only if B<ret E<gt> 0>. |
a598cd1a BM |
38 | |
39 | =item SSL_ERROR_ZERO_RETURN | |
40 | ||
2f6f913e | 41 | The TLS/SSL peer has closed the connection for writing by sending the |
8e593f0a | 42 | close_notify alert. |
2f6f913e KR |
43 | No more data can be read. |
44 | Note that B<SSL_ERROR_ZERO_RETURN> does not necessarily | |
beacb0f0 | 45 | indicate that the underlying transport has been closed. |
a598cd1a BM |
46 | |
47 | =item SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE | |
48 | ||
57fd5170 KR |
49 | The operation did not complete and can be retried later. |
50 | ||
51 | B<SSL_ERROR_WANT_READ> is returned when the last operation was a read | |
52 | operation from a non-blocking B<BIO>. | |
53 | It means that not enough data was available at this time to complete the | |
54 | operation. | |
55 | If at a later time the underlying B<BIO> has data available for reading the same | |
56 | function can be called again. | |
57 | ||
58 | SSL_read() and SSL_read_ex() can also set B<SSL_ERROR_WANT_READ> when there is | |
59 | still unprocessed data available at either the B<SSL> or the B<BIO> layer, even | |
60 | for a blocking B<BIO>. | |
61 | See L<SSL_read(3)> for more information. | |
62 | ||
63 | B<SSL_ERROR_WANT_WRITE> is returned when the last operation was a write | |
64 | to a non-blocking B<BIO> and it was unable to sent all data to the B<BIO>. | |
65 | When the B<BIO> is writeable again, the same function can be called again. | |
66 | ||
67 | Note that the retry may again lead to an B<SSL_ERROR_WANT_READ> or | |
68 | B<SSL_ERROR_WANT_WRITE> condition. | |
2984b0ae BM |
69 | There is no fixed upper limit for the number of iterations that |
70 | may be necessary until progress becomes visible at application | |
71 | protocol level. | |
72 | ||
57fd5170 KR |
73 | It is safe to call SSL_read() or SSL_read_ex() when more data is available |
74 | even when the call that set this error was an SSL_write() or SSL_write_ex(). | |
75 | However if the call was an SSL_write() or SSL_write_ex(), it should be called | |
76 | again to continue sending the application data. | |
77 | ||
2984b0ae BM |
78 | For socket B<BIO>s (e.g. when SSL_set_fd() was used), select() or |
79 | poll() on the underlying socket can be used to find out when the | |
80 | TLS/SSL I/O function should be retried. | |
a598cd1a | 81 | |
37b08e83 | 82 | Caveat: Any TLS/SSL I/O function can lead to either of |
57fd5170 KR |
83 | B<SSL_ERROR_WANT_READ> and B<SSL_ERROR_WANT_WRITE>. |
84 | In particular, | |
6782e5fd | 85 | SSL_read_ex(), SSL_read(), SSL_peek_ex(), or SSL_peek() may want to write data |
57fd5170 KR |
86 | and SSL_write() or SSL_write_ex() may want to read data. |
87 | This is mainly because | |
7714dc5e MC |
88 | TLS/SSL handshakes may occur at any time during the protocol (initiated by |
89 | either the client or the server); SSL_read_ex(), SSL_read(), SSL_peek_ex(), | |
6782e5fd | 90 | SSL_peek(), SSL_write_ex(), and SSL_write() will handle any pending handshakes. |
a598cd1a | 91 | |
74daa124 LJ |
92 | =item SSL_ERROR_WANT_CONNECT, SSL_ERROR_WANT_ACCEPT |
93 | ||
94 | The operation did not complete; the same TLS/SSL I/O function should be | |
95 | called again later. The underlying BIO was not connected yet to the peer | |
96 | and the call would block in connect()/accept(). The SSL function should be | |
97 | called again when the connection is established. These messages can only | |
98 | appear with a BIO_s_connect() or BIO_s_accept() BIO, respectively. | |
99 | In order to find out, when the connection has been successfully established, | |
100 | on many platforms select() or poll() for writing on the socket file descriptor | |
101 | can be used. | |
102 | ||
a598cd1a BM |
103 | =item SSL_ERROR_WANT_X509_LOOKUP |
104 | ||
105 | The operation did not complete because an application callback set by | |
106 | SSL_CTX_set_client_cert_cb() has asked to be called again. | |
37b08e83 | 107 | The TLS/SSL I/O function should be called again later. |
a598cd1a BM |
108 | Details depend on the application. |
109 | ||
bc8857bf MC |
110 | =item SSL_ERROR_WANT_ASYNC |
111 | ||
112 | The operation did not complete because an asynchronous engine is still | |
113 | processing data. This will only occur if the mode has been set to SSL_MODE_ASYNC | |
114 | using L<SSL_CTX_set_mode(3)> or L<SSL_set_mode(3)> and an asynchronous capable | |
115 | engine is being used. An application can determine whether the engine has | |
116 | completed its processing using select() or poll() on the asynchronous wait file | |
117 | descriptor. This file descriptor is available by calling | |
c0e32b16 MC |
118 | L<SSL_get_all_async_fds(3)> or L<SSL_get_changed_async_fds(3)>. The TLS/SSL I/O |
119 | function should be called again later. The function B<must> be called from the | |
120 | same thread that the original call was made from. | |
bc8857bf | 121 | |
fc7f190c MC |
122 | =item SSL_ERROR_WANT_ASYNC_JOB |
123 | ||
124 | The asynchronous job could not be started because there were no async jobs | |
125 | available in the pool (see ASYNC_init_thread(3)). This will only occur if the | |
126 | mode has been set to SSL_MODE_ASYNC using L<SSL_CTX_set_mode(3)> or | |
127 | L<SSL_set_mode(3)> and a maximum limit has been set on the async job pool | |
128 | through a call to L<ASYNC_init_thread(3)>. The application should retry the | |
129 | operation after a currently executing asynchronous operation for the current | |
130 | thread has completed. | |
131 | ||
a9c0d8be | 132 | =item SSL_ERROR_WANT_CLIENT_HELLO_CB |
6b1bb98f BK |
133 | |
134 | The operation did not complete because an application callback set by | |
a9c0d8be | 135 | SSL_CTX_set_client_hello_cb() has asked to be called again. |
6b1bb98f BK |
136 | The TLS/SSL I/O function should be called again later. |
137 | Details depend on the application. | |
138 | ||
a598cd1a BM |
139 | =item SSL_ERROR_SYSCALL |
140 | ||
f4800345 MC |
141 | Some non-recoverable, fatal I/O error occurred. The OpenSSL error queue may |
142 | contain more information on the error. For socket I/O on Unix systems, consult | |
143 | B<errno> for details. If this error occurs then no further I/O operations should | |
144 | be performed on the connection and SSL_shutdown() must not be called. | |
a598cd1a | 145 | |
57fd5170 KR |
146 | This value can also be returned for other errors, check the error queue for |
147 | details. | |
148 | ||
a598cd1a BM |
149 | =item SSL_ERROR_SSL |
150 | ||
f4800345 MC |
151 | A non-recoverable, fatal error in the SSL library occurred, usually a protocol |
152 | error. The OpenSSL error queue contains more information on the error. If this | |
153 | error occurs then no further I/O operations should be performed on the | |
154 | connection and SSL_shutdown() must not be called. | |
a598cd1a BM |
155 | |
156 | =back | |
157 | ||
158 | =head1 SEE ALSO | |
159 | ||
73fb82b7 | 160 | L<ssl(7)> |
a598cd1a | 161 | |
bc8857bf MC |
162 | =head1 HISTORY |
163 | ||
fc5ecadd DMSP |
164 | The SSL_ERROR_WANT_ASYNC error code was added in OpenSSL 1.1.0. |
165 | The SSL_ERROR_WANT_CLIENT_HELLO_CB error code was added in OpenSSL 1.1.1. | |
bc8857bf | 166 | |
e2f92610 RS |
167 | =head1 COPYRIGHT |
168 | ||
c4d3c19b | 169 | Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. |
e2f92610 | 170 | |
4746f25a | 171 | Licensed under the Apache License 2.0 (the "License"). You may not use |
e2f92610 RS |
172 | this file except in compliance with the License. You can obtain a copy |
173 | in the file LICENSE in the source distribution or at | |
174 | L<https://www.openssl.org/source/license.html>. | |
175 | ||
176 | =cut |