> Hello list,
> I write a application which acts like a proxy/repeater between
> two ssl - endpoints. For my app I use OpenSSL 0.9.8g.
> The two endpoints connect to the app and idenfity themselves
> using a id (Both use the matrixssl implementation for ssl handling).
> Two matching id's start the repeating.
> Everything runs fine up to the transfer amount of quite exactly 1
> megabyte, then the connection crashs and in repeat code I get
> this errormessage:

> Is there an error in the code?

Yes, the code is prone to deadlock. The code implements the "I will not start doing X until I finish doing Y" logic. This is known to cause deadlocks in proxies, as one end or the other of the connection proxied inevitably has an "I will not start doing Y until I finish doing X" logic.

You thus wind up with a proxy that could make forward progress in one direction but refuses to because it cannot make forward progress in the other direction.

But that's not your problem. You're problem is that you are horribly abusing SSL_pending. SSL data may be neither in the socket buffer nor pending, and you ignore it. (For example, the SSL connection may have, in its buffer, an entire SSL protocol block. No data is pending, since the first byte of the block has not been analyzed yet, and no data is waiting on the socket.)

In general terms, a general-purpose proxy can never say "I could do X, but I won't do it *now*". You break this rule in two ways. One with SSL_pending (which checks for one type of forward progress while ignoring another) and by blocking in one direction even when you could make progress in the other.


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org