]>
Commit | Line | Data |
---|---|---|
a598cd1a BM |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
1e4e5492 | 5 | SSL_get_error - obtain result code for TLS/SSL I/O operation |
a598cd1a BM |
6 | |
7 | =head1 SYNOPSIS | |
8 | ||
9 | #include <openssl/ssl.h> | |
10 | ||
c3e64028 | 11 | int SSL_get_error(const SSL *ssl, int ret); |
a598cd1a BM |
12 | |
13 | =head1 DESCRIPTION | |
14 | ||
15 | SSL_get_error() returns a result code (suitable for the C "switch" | |
02750ff5 | 16 | statement) for a preceding call to SSL_connect(), SSL_accept(), SSL_do_handshake(), |
7714dc5e MC |
17 | SSL_read_ex(), SSL_read(), SSL_peek_ex(), SSL_peek(), SSL_write_ex() or |
18 | SSL_write() on B<ssl>. The value returned by that TLS/SSL I/O function must be | |
19 | passed to SSL_get_error() in parameter B<ret>. | |
a598cd1a BM |
20 | |
21 | In addition to B<ssl> and B<ret>, SSL_get_error() inspects the | |
22 | current thread's OpenSSL error queue. Thus, SSL_get_error() must be | |
1e4e5492 | 23 | used in the same thread that performed the TLS/SSL I/O operation, and no |
f5a8d678 | 24 | other OpenSSL function calls should appear in between. The current |
1e4e5492 | 25 | thread's error queue must be empty before the TLS/SSL I/O operation is |
a598cd1a BM |
26 | attempted, or SSL_get_error() will not work reliably. |
27 | ||
28 | =head1 RETURN VALUES | |
29 | ||
30 | The following return values can currently occur: | |
31 | ||
32 | =over 4 | |
33 | ||
34 | =item SSL_ERROR_NONE | |
35 | ||
1e4e5492 | 36 | The TLS/SSL I/O operation completed. This result code is returned |
f5a8d678 | 37 | if and only if B<ret E<gt> 0>. |
a598cd1a BM |
38 | |
39 | =item SSL_ERROR_ZERO_RETURN | |
40 | ||
beacb0f0 KR |
41 | The TLS/SSL connection has been closed. |
42 | If the protocol version is SSL 3.0 or higher, this result code is returned only | |
43 | if a closure alert has occurred in the protocol, i.e. if the connection has been | |
44 | closed cleanly. | |
45 | Note that in this case B<SSL_ERROR_ZERO_RETURN> does not necessarily | |
46 | indicate that the underlying transport has been closed. | |
a598cd1a BM |
47 | |
48 | =item SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE | |
49 | ||
1e4e5492 | 50 | The operation did not complete; the same TLS/SSL I/O function should be |
2984b0ae BM |
51 | called again later. If, by then, the underlying B<BIO> has data |
52 | available for reading (if the result code is B<SSL_ERROR_WANT_READ>) | |
53 | or allows writing data (B<SSL_ERROR_WANT_WRITE>), then some TLS/SSL | |
54 | protocol progress will take place, i.e. at least part of an TLS/SSL | |
55 | record will be read or written. Note that the retry may again lead to | |
56 | a B<SSL_ERROR_WANT_READ> or B<SSL_ERROR_WANT_WRITE> condition. | |
57 | There is no fixed upper limit for the number of iterations that | |
58 | may be necessary until progress becomes visible at application | |
59 | protocol level. | |
60 | ||
61 | For socket B<BIO>s (e.g. when SSL_set_fd() was used), select() or | |
62 | poll() on the underlying socket can be used to find out when the | |
63 | TLS/SSL I/O function should be retried. | |
a598cd1a | 64 | |
37b08e83 | 65 | Caveat: Any TLS/SSL I/O function can lead to either of |
2984b0ae | 66 | B<SSL_ERROR_WANT_READ> and B<SSL_ERROR_WANT_WRITE>. In particular, |
6782e5fd MC |
67 | SSL_read_ex(), SSL_read(), SSL_peek_ex(), or SSL_peek() may want to write data |
68 | and SSL_write() or SSL_write_ex() may want to read data. This is mainly because | |
7714dc5e MC |
69 | TLS/SSL handshakes may occur at any time during the protocol (initiated by |
70 | either the client or the server); SSL_read_ex(), SSL_read(), SSL_peek_ex(), | |
6782e5fd | 71 | SSL_peek(), SSL_write_ex(), and SSL_write() will handle any pending handshakes. |
a598cd1a | 72 | |
74daa124 LJ |
73 | =item SSL_ERROR_WANT_CONNECT, SSL_ERROR_WANT_ACCEPT |
74 | ||
75 | The operation did not complete; the same TLS/SSL I/O function should be | |
76 | called again later. The underlying BIO was not connected yet to the peer | |
77 | and the call would block in connect()/accept(). The SSL function should be | |
78 | called again when the connection is established. These messages can only | |
79 | appear with a BIO_s_connect() or BIO_s_accept() BIO, respectively. | |
80 | In order to find out, when the connection has been successfully established, | |
81 | on many platforms select() or poll() for writing on the socket file descriptor | |
82 | can be used. | |
83 | ||
a598cd1a BM |
84 | =item SSL_ERROR_WANT_X509_LOOKUP |
85 | ||
86 | The operation did not complete because an application callback set by | |
87 | SSL_CTX_set_client_cert_cb() has asked to be called again. | |
37b08e83 | 88 | The TLS/SSL I/O function should be called again later. |
a598cd1a BM |
89 | Details depend on the application. |
90 | ||
bc8857bf MC |
91 | =item SSL_ERROR_WANT_ASYNC |
92 | ||
93 | The operation did not complete because an asynchronous engine is still | |
94 | processing data. This will only occur if the mode has been set to SSL_MODE_ASYNC | |
95 | using L<SSL_CTX_set_mode(3)> or L<SSL_set_mode(3)> and an asynchronous capable | |
96 | engine is being used. An application can determine whether the engine has | |
97 | completed its processing using select() or poll() on the asynchronous wait file | |
98 | descriptor. This file descriptor is available by calling | |
c0e32b16 MC |
99 | L<SSL_get_all_async_fds(3)> or L<SSL_get_changed_async_fds(3)>. The TLS/SSL I/O |
100 | function should be called again later. The function B<must> be called from the | |
101 | same thread that the original call was made from. | |
bc8857bf | 102 | |
fc7f190c MC |
103 | =item SSL_ERROR_WANT_ASYNC_JOB |
104 | ||
105 | The asynchronous job could not be started because there were no async jobs | |
106 | available in the pool (see ASYNC_init_thread(3)). This will only occur if the | |
107 | mode has been set to SSL_MODE_ASYNC using L<SSL_CTX_set_mode(3)> or | |
108 | L<SSL_set_mode(3)> and a maximum limit has been set on the async job pool | |
109 | through a call to L<ASYNC_init_thread(3)>. The application should retry the | |
110 | operation after a currently executing asynchronous operation for the current | |
111 | thread has completed. | |
112 | ||
a9c0d8be | 113 | =item SSL_ERROR_WANT_CLIENT_HELLO_CB |
6b1bb98f BK |
114 | |
115 | The operation did not complete because an application callback set by | |
a9c0d8be | 116 | SSL_CTX_set_client_hello_cb() has asked to be called again. |
6b1bb98f BK |
117 | The TLS/SSL I/O function should be called again later. |
118 | Details depend on the application. | |
119 | ||
a598cd1a BM |
120 | =item SSL_ERROR_SYSCALL |
121 | ||
beacb0f0 KR |
122 | Some non-recoverable I/O error occurred. |
123 | The OpenSSL error queue may contain more information on the error. | |
124 | For socket I/O on Unix systems, consult B<errno> for details. | |
a598cd1a BM |
125 | |
126 | =item SSL_ERROR_SSL | |
127 | ||
f5a8d678 | 128 | A failure in the SSL library occurred, usually a protocol error. The |
a598cd1a BM |
129 | OpenSSL error queue contains more information on the error. |
130 | ||
131 | =back | |
132 | ||
133 | =head1 SEE ALSO | |
134 | ||
73fb82b7 | 135 | L<ssl(7)> |
a598cd1a | 136 | |
bc8857bf MC |
137 | =head1 HISTORY |
138 | ||
139 | SSL_ERROR_WANT_ASYNC was added in OpenSSL 1.1.0. | |
a9c0d8be | 140 | SSL_ERROR_WANT_CLIENT_HELLO_CB was added in OpenSSL 1.1.1. |
bc8857bf | 141 | |
e2f92610 RS |
142 | =head1 COPYRIGHT |
143 | ||
6b1bb98f | 144 | Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. |
e2f92610 RS |
145 | |
146 | Licensed under the OpenSSL license (the "License"). You may not use | |
147 | this file except in compliance with the License. You can obtain a copy | |
148 | in the file LICENSE in the source distribution or at | |
149 | L<https://www.openssl.org/source/license.html>. | |
150 | ||
151 | =cut |