]>
Commit | Line | Data |
---|---|---|
a598cd1a BM |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
1e4e5492 | 5 | SSL_get_error - obtain result code for TLS/SSL I/O operation |
a598cd1a BM |
6 | |
7 | =head1 SYNOPSIS | |
8 | ||
9 | #include <openssl/ssl.h> | |
10 | ||
c3e64028 | 11 | int SSL_get_error(const SSL *ssl, int ret); |
a598cd1a BM |
12 | |
13 | =head1 DESCRIPTION | |
14 | ||
15 | SSL_get_error() returns a result code (suitable for the C "switch" | |
02750ff5 | 16 | statement) for a preceding call to SSL_connect(), SSL_accept(), SSL_do_handshake(), |
7714dc5e MC |
17 | SSL_read_ex(), SSL_read(), SSL_peek_ex(), SSL_peek(), SSL_write_ex() or |
18 | SSL_write() on B<ssl>. The value returned by that TLS/SSL I/O function must be | |
19 | passed to SSL_get_error() in parameter B<ret>. | |
a598cd1a BM |
20 | |
21 | In addition to B<ssl> and B<ret>, SSL_get_error() inspects the | |
22 | current thread's OpenSSL error queue. Thus, SSL_get_error() must be | |
1e4e5492 | 23 | used in the same thread that performed the TLS/SSL I/O operation, and no |
f5a8d678 | 24 | other OpenSSL function calls should appear in between. The current |
1e4e5492 | 25 | thread's error queue must be empty before the TLS/SSL I/O operation is |
a598cd1a BM |
26 | attempted, or SSL_get_error() will not work reliably. |
27 | ||
28 | =head1 RETURN VALUES | |
29 | ||
30 | The following return values can currently occur: | |
31 | ||
32 | =over 4 | |
33 | ||
34 | =item SSL_ERROR_NONE | |
35 | ||
1e4e5492 | 36 | The TLS/SSL I/O operation completed. This result code is returned |
f5a8d678 | 37 | if and only if B<ret E<gt> 0>. |
a598cd1a BM |
38 | |
39 | =item SSL_ERROR_ZERO_RETURN | |
40 | ||
2f6f913e | 41 | The TLS/SSL peer has closed the connection for writing by sending the |
00f561ab | 42 | close_notify alert. |
2f6f913e KR |
43 | No more data can be read. |
44 | Note that B<SSL_ERROR_ZERO_RETURN> does not necessarily | |
beacb0f0 | 45 | indicate that the underlying transport has been closed. |
a598cd1a BM |
46 | |
47 | =item SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE | |
48 | ||
57fd5170 KR |
49 | The operation did not complete and can be retried later. |
50 | ||
51 | B<SSL_ERROR_WANT_READ> is returned when the last operation was a read | |
52 | operation from a non-blocking B<BIO>. | |
53 | It means that not enough data was available at this time to complete the | |
54 | operation. | |
55 | If at a later time the underlying B<BIO> has data available for reading the same | |
56 | function can be called again. | |
57 | ||
58 | SSL_read() and SSL_read_ex() can also set B<SSL_ERROR_WANT_READ> when there is | |
59 | still unprocessed data available at either the B<SSL> or the B<BIO> layer, even | |
60 | for a blocking B<BIO>. | |
61 | See L<SSL_read(3)> for more information. | |
62 | ||
63 | B<SSL_ERROR_WANT_WRITE> is returned when the last operation was a write | |
64 | to a non-blocking B<BIO> and it was unable to sent all data to the B<BIO>. | |
65 | When the B<BIO> is writeable again, the same function can be called again. | |
66 | ||
67 | Note that the retry may again lead to an B<SSL_ERROR_WANT_READ> or | |
68 | B<SSL_ERROR_WANT_WRITE> condition. | |
2984b0ae BM |
69 | There is no fixed upper limit for the number of iterations that |
70 | may be necessary until progress becomes visible at application | |
71 | protocol level. | |
72 | ||
57fd5170 KR |
73 | It is safe to call SSL_read() or SSL_read_ex() when more data is available |
74 | even when the call that set this error was an SSL_write() or SSL_write_ex(). | |
75 | However if the call was an SSL_write() or SSL_write_ex(), it should be called | |
76 | again to continue sending the application data. | |
77 | ||
2984b0ae BM |
78 | For socket B<BIO>s (e.g. when SSL_set_fd() was used), select() or |
79 | poll() on the underlying socket can be used to find out when the | |
80 | TLS/SSL I/O function should be retried. | |
a598cd1a | 81 | |
37b08e83 | 82 | Caveat: Any TLS/SSL I/O function can lead to either of |
57fd5170 KR |
83 | B<SSL_ERROR_WANT_READ> and B<SSL_ERROR_WANT_WRITE>. |
84 | In particular, | |
6782e5fd | 85 | SSL_read_ex(), SSL_read(), SSL_peek_ex(), or SSL_peek() may want to write data |
57fd5170 KR |
86 | and SSL_write() or SSL_write_ex() may want to read data. |
87 | This is mainly because | |
7714dc5e MC |
88 | TLS/SSL handshakes may occur at any time during the protocol (initiated by |
89 | either the client or the server); SSL_read_ex(), SSL_read(), SSL_peek_ex(), | |
6782e5fd | 90 | SSL_peek(), SSL_write_ex(), and SSL_write() will handle any pending handshakes. |
a598cd1a | 91 | |
74daa124 LJ |
92 | =item SSL_ERROR_WANT_CONNECT, SSL_ERROR_WANT_ACCEPT |
93 | ||
94 | The operation did not complete; the same TLS/SSL I/O function should be | |
95 | called again later. The underlying BIO was not connected yet to the peer | |
96 | and the call would block in connect()/accept(). The SSL function should be | |
97 | called again when the connection is established. These messages can only | |
98 | appear with a BIO_s_connect() or BIO_s_accept() BIO, respectively. | |
99 | In order to find out, when the connection has been successfully established, | |
100 | on many platforms select() or poll() for writing on the socket file descriptor | |
101 | can be used. | |
102 | ||
a598cd1a BM |
103 | =item SSL_ERROR_WANT_X509_LOOKUP |
104 | ||
105 | The operation did not complete because an application callback set by | |
106 | SSL_CTX_set_client_cert_cb() has asked to be called again. | |
37b08e83 | 107 | The TLS/SSL I/O function should be called again later. |
a598cd1a BM |
108 | Details depend on the application. |
109 | ||
bc8857bf MC |
110 | =item SSL_ERROR_WANT_ASYNC |
111 | ||
112 | The operation did not complete because an asynchronous engine is still | |
113 | processing data. This will only occur if the mode has been set to SSL_MODE_ASYNC | |
114 | using L<SSL_CTX_set_mode(3)> or L<SSL_set_mode(3)> and an asynchronous capable | |
115 | engine is being used. An application can determine whether the engine has | |
116 | completed its processing using select() or poll() on the asynchronous wait file | |
117 | descriptor. This file descriptor is available by calling | |
c0e32b16 MC |
118 | L<SSL_get_all_async_fds(3)> or L<SSL_get_changed_async_fds(3)>. The TLS/SSL I/O |
119 | function should be called again later. The function B<must> be called from the | |
120 | same thread that the original call was made from. | |
bc8857bf | 121 | |
fc7f190c MC |
122 | =item SSL_ERROR_WANT_ASYNC_JOB |
123 | ||
124 | The asynchronous job could not be started because there were no async jobs | |
125 | available in the pool (see ASYNC_init_thread(3)). This will only occur if the | |
126 | mode has been set to SSL_MODE_ASYNC using L<SSL_CTX_set_mode(3)> or | |
127 | L<SSL_set_mode(3)> and a maximum limit has been set on the async job pool | |
128 | through a call to L<ASYNC_init_thread(3)>. The application should retry the | |
129 | operation after a currently executing asynchronous operation for the current | |
130 | thread has completed. | |
131 | ||
a9c0d8be | 132 | =item SSL_ERROR_WANT_CLIENT_HELLO_CB |
6b1bb98f BK |
133 | |
134 | The operation did not complete because an application callback set by | |
a9c0d8be | 135 | SSL_CTX_set_client_hello_cb() has asked to be called again. |
6b1bb98f BK |
136 | The TLS/SSL I/O function should be called again later. |
137 | Details depend on the application. | |
138 | ||
a598cd1a BM |
139 | =item SSL_ERROR_SYSCALL |
140 | ||
beacb0f0 KR |
141 | Some non-recoverable I/O error occurred. |
142 | The OpenSSL error queue may contain more information on the error. | |
143 | For socket I/O on Unix systems, consult B<errno> for details. | |
a598cd1a | 144 | |
57fd5170 KR |
145 | This value can also be returned for other errors, check the error queue for |
146 | details. | |
147 | ||
a598cd1a BM |
148 | =item SSL_ERROR_SSL |
149 | ||
f5a8d678 | 150 | A failure in the SSL library occurred, usually a protocol error. The |
a598cd1a BM |
151 | OpenSSL error queue contains more information on the error. |
152 | ||
153 | =back | |
154 | ||
155 | =head1 SEE ALSO | |
156 | ||
73fb82b7 | 157 | L<ssl(7)> |
a598cd1a | 158 | |
bc8857bf MC |
159 | =head1 HISTORY |
160 | ||
161 | SSL_ERROR_WANT_ASYNC was added in OpenSSL 1.1.0. | |
a9c0d8be | 162 | SSL_ERROR_WANT_CLIENT_HELLO_CB was added in OpenSSL 1.1.1. |
bc8857bf | 163 | |
e2f92610 RS |
164 | =head1 COPYRIGHT |
165 | ||
c4d3c19b | 166 | Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. |
e2f92610 RS |
167 | |
168 | Licensed under the OpenSSL license (the "License"). You may not use | |
169 | this file except in compliance with the License. You can obtain a copy | |
170 | in the file LICENSE in the source distribution or at | |
171 | L<https://www.openssl.org/source/license.html>. | |
172 | ||
173 | =cut |