]>
Commit | Line | Data |
---|---|---|
a598cd1a BM |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
1e4e5492 | 5 | SSL_get_error - obtain result code for TLS/SSL I/O operation |
a598cd1a BM |
6 | |
7 | =head1 SYNOPSIS | |
8 | ||
9 | #include <openssl/ssl.h> | |
10 | ||
c3e64028 | 11 | int SSL_get_error(const SSL *ssl, int ret); |
a598cd1a BM |
12 | |
13 | =head1 DESCRIPTION | |
14 | ||
15 | SSL_get_error() returns a result code (suitable for the C "switch" | |
02750ff5 | 16 | statement) for a preceding call to SSL_connect(), SSL_accept(), SSL_do_handshake(), |
df9fd168 MR |
17 | SSL_read_ex(), SSL_read(), SSL_peek_ex(), SSL_peek(), SSL_shutdown(), |
18 | SSL_write_ex() or SSL_write() on B<ssl>. The value returned by that TLS/SSL I/O | |
19 | function must be passed to SSL_get_error() in parameter B<ret>. | |
a598cd1a BM |
20 | |
21 | In addition to B<ssl> and B<ret>, SSL_get_error() inspects the | |
22 | current thread's OpenSSL error queue. Thus, SSL_get_error() must be | |
1e4e5492 | 23 | used in the same thread that performed the TLS/SSL I/O operation, and no |
f5a8d678 | 24 | other OpenSSL function calls should appear in between. The current |
1e4e5492 | 25 | thread's error queue must be empty before the TLS/SSL I/O operation is |
a598cd1a BM |
26 | attempted, or SSL_get_error() will not work reliably. |
27 | ||
09b90e0e DB |
28 | =head1 NOTES |
29 | ||
30 | Some TLS implementations do not send a close_notify alert on shutdown. | |
31 | ||
32 | On an unexpected EOF, versions before OpenSSL 3.0 returned | |
33 | B<SSL_ERROR_SYSCALL>, nothing was added to the error stack, and errno was 0. | |
34 | Since OpenSSL 3.0 the returned error is B<SSL_ERROR_SSL> with a meaningful | |
35 | error on the error stack. | |
36 | ||
a598cd1a BM |
37 | =head1 RETURN VALUES |
38 | ||
39 | The following return values can currently occur: | |
40 | ||
41 | =over 4 | |
42 | ||
43 | =item SSL_ERROR_NONE | |
44 | ||
1e4e5492 | 45 | The TLS/SSL I/O operation completed. This result code is returned |
f5a8d678 | 46 | if and only if B<ret E<gt> 0>. |
a598cd1a BM |
47 | |
48 | =item SSL_ERROR_ZERO_RETURN | |
49 | ||
2f6f913e | 50 | The TLS/SSL peer has closed the connection for writing by sending the |
8e593f0a | 51 | close_notify alert. |
2f6f913e KR |
52 | No more data can be read. |
53 | Note that B<SSL_ERROR_ZERO_RETURN> does not necessarily | |
beacb0f0 | 54 | indicate that the underlying transport has been closed. |
a598cd1a | 55 | |
09b90e0e DB |
56 | This error can also appear when the option B<SSL_OP_IGNORE_UNEXPECTED_EOF> |
57 | is set. See L<SSL_CTX_set_options(3)> for more details. | |
58 | ||
a598cd1a BM |
59 | =item SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE |
60 | ||
57fd5170 KR |
61 | The operation did not complete and can be retried later. |
62 | ||
63 | B<SSL_ERROR_WANT_READ> is returned when the last operation was a read | |
64 | operation from a non-blocking B<BIO>. | |
65 | It means that not enough data was available at this time to complete the | |
66 | operation. | |
67 | If at a later time the underlying B<BIO> has data available for reading the same | |
68 | function can be called again. | |
69 | ||
70 | SSL_read() and SSL_read_ex() can also set B<SSL_ERROR_WANT_READ> when there is | |
71 | still unprocessed data available at either the B<SSL> or the B<BIO> layer, even | |
72 | for a blocking B<BIO>. | |
73 | See L<SSL_read(3)> for more information. | |
74 | ||
75 | B<SSL_ERROR_WANT_WRITE> is returned when the last operation was a write | |
76 | to a non-blocking B<BIO> and it was unable to sent all data to the B<BIO>. | |
77 | When the B<BIO> is writeable again, the same function can be called again. | |
78 | ||
79 | Note that the retry may again lead to an B<SSL_ERROR_WANT_READ> or | |
80 | B<SSL_ERROR_WANT_WRITE> condition. | |
2984b0ae BM |
81 | There is no fixed upper limit for the number of iterations that |
82 | may be necessary until progress becomes visible at application | |
83 | protocol level. | |
84 | ||
57fd5170 KR |
85 | It is safe to call SSL_read() or SSL_read_ex() when more data is available |
86 | even when the call that set this error was an SSL_write() or SSL_write_ex(). | |
87 | However if the call was an SSL_write() or SSL_write_ex(), it should be called | |
88 | again to continue sending the application data. | |
89 | ||
2984b0ae BM |
90 | For socket B<BIO>s (e.g. when SSL_set_fd() was used), select() or |
91 | poll() on the underlying socket can be used to find out when the | |
92 | TLS/SSL I/O function should be retried. | |
a598cd1a | 93 | |
37b08e83 | 94 | Caveat: Any TLS/SSL I/O function can lead to either of |
57fd5170 KR |
95 | B<SSL_ERROR_WANT_READ> and B<SSL_ERROR_WANT_WRITE>. |
96 | In particular, | |
6782e5fd | 97 | SSL_read_ex(), SSL_read(), SSL_peek_ex(), or SSL_peek() may want to write data |
57fd5170 KR |
98 | and SSL_write() or SSL_write_ex() may want to read data. |
99 | This is mainly because | |
7714dc5e MC |
100 | TLS/SSL handshakes may occur at any time during the protocol (initiated by |
101 | either the client or the server); SSL_read_ex(), SSL_read(), SSL_peek_ex(), | |
6782e5fd | 102 | SSL_peek(), SSL_write_ex(), and SSL_write() will handle any pending handshakes. |
a598cd1a | 103 | |
74daa124 LJ |
104 | =item SSL_ERROR_WANT_CONNECT, SSL_ERROR_WANT_ACCEPT |
105 | ||
106 | The operation did not complete; the same TLS/SSL I/O function should be | |
107 | called again later. The underlying BIO was not connected yet to the peer | |
108 | and the call would block in connect()/accept(). The SSL function should be | |
109 | called again when the connection is established. These messages can only | |
110 | appear with a BIO_s_connect() or BIO_s_accept() BIO, respectively. | |
111 | In order to find out, when the connection has been successfully established, | |
112 | on many platforms select() or poll() for writing on the socket file descriptor | |
113 | can be used. | |
114 | ||
a598cd1a BM |
115 | =item SSL_ERROR_WANT_X509_LOOKUP |
116 | ||
117 | The operation did not complete because an application callback set by | |
118 | SSL_CTX_set_client_cert_cb() has asked to be called again. | |
37b08e83 | 119 | The TLS/SSL I/O function should be called again later. |
a598cd1a BM |
120 | Details depend on the application. |
121 | ||
bc8857bf MC |
122 | =item SSL_ERROR_WANT_ASYNC |
123 | ||
124 | The operation did not complete because an asynchronous engine is still | |
125 | processing data. This will only occur if the mode has been set to SSL_MODE_ASYNC | |
126 | using L<SSL_CTX_set_mode(3)> or L<SSL_set_mode(3)> and an asynchronous capable | |
127 | engine is being used. An application can determine whether the engine has | |
128 | completed its processing using select() or poll() on the asynchronous wait file | |
129 | descriptor. This file descriptor is available by calling | |
c0e32b16 MC |
130 | L<SSL_get_all_async_fds(3)> or L<SSL_get_changed_async_fds(3)>. The TLS/SSL I/O |
131 | function should be called again later. The function B<must> be called from the | |
132 | same thread that the original call was made from. | |
bc8857bf | 133 | |
fc7f190c MC |
134 | =item SSL_ERROR_WANT_ASYNC_JOB |
135 | ||
136 | The asynchronous job could not be started because there were no async jobs | |
137 | available in the pool (see ASYNC_init_thread(3)). This will only occur if the | |
138 | mode has been set to SSL_MODE_ASYNC using L<SSL_CTX_set_mode(3)> or | |
139 | L<SSL_set_mode(3)> and a maximum limit has been set on the async job pool | |
140 | through a call to L<ASYNC_init_thread(3)>. The application should retry the | |
141 | operation after a currently executing asynchronous operation for the current | |
142 | thread has completed. | |
143 | ||
a9c0d8be | 144 | =item SSL_ERROR_WANT_CLIENT_HELLO_CB |
6b1bb98f BK |
145 | |
146 | The operation did not complete because an application callback set by | |
a9c0d8be | 147 | SSL_CTX_set_client_hello_cb() has asked to be called again. |
6b1bb98f BK |
148 | The TLS/SSL I/O function should be called again later. |
149 | Details depend on the application. | |
150 | ||
a598cd1a BM |
151 | =item SSL_ERROR_SYSCALL |
152 | ||
f4800345 MC |
153 | Some non-recoverable, fatal I/O error occurred. The OpenSSL error queue may |
154 | contain more information on the error. For socket I/O on Unix systems, consult | |
155 | B<errno> for details. If this error occurs then no further I/O operations should | |
156 | be performed on the connection and SSL_shutdown() must not be called. | |
a598cd1a | 157 | |
57fd5170 KR |
158 | This value can also be returned for other errors, check the error queue for |
159 | details. | |
160 | ||
a598cd1a BM |
161 | =item SSL_ERROR_SSL |
162 | ||
f4800345 MC |
163 | A non-recoverable, fatal error in the SSL library occurred, usually a protocol |
164 | error. The OpenSSL error queue contains more information on the error. If this | |
165 | error occurs then no further I/O operations should be performed on the | |
166 | connection and SSL_shutdown() must not be called. | |
a598cd1a BM |
167 | |
168 | =back | |
169 | ||
170 | =head1 SEE ALSO | |
171 | ||
73fb82b7 | 172 | L<ssl(7)> |
a598cd1a | 173 | |
bc8857bf MC |
174 | =head1 HISTORY |
175 | ||
fc5ecadd DMSP |
176 | The SSL_ERROR_WANT_ASYNC error code was added in OpenSSL 1.1.0. |
177 | The SSL_ERROR_WANT_CLIENT_HELLO_CB error code was added in OpenSSL 1.1.1. | |
bc8857bf | 178 | |
e2f92610 RS |
179 | =head1 COPYRIGHT |
180 | ||
c4d3c19b | 181 | Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. |
e2f92610 | 182 | |
4746f25a | 183 | Licensed under the Apache License 2.0 (the "License"). You may not use |
e2f92610 RS |
184 | this file except in compliance with the License. You can obtain a copy |
185 | in the file LICENSE in the source distribution or at | |
186 | L<https://www.openssl.org/source/license.html>. | |
187 | ||
188 | =cut |