Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenSSL 1.1.1 blocking on a non-blocking socket #586

Closed
david-mohr opened this issue Dec 11, 2019 · 1 comment · Fixed by #587
Closed

OpenSSL 1.1.1 blocking on a non-blocking socket #586

david-mohr opened this issue Dec 11, 2019 · 1 comment · Fixed by #587

Comments

@david-mohr
Copy link

Hi Alan,

We recently moved to OpenSSL 1.1.1 from 1.1.0 and found some issue with amqp_basic_publish blocking under certain conditions, even though we are using a non-blocking socket.

After many days of frustration, we found one little comment in the OpenSSL docs:

All modes are off by default except for SSL_MODE_AUTO_RETRY which is on by default since 1.1.1

https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_mode.html

SSL_MODE_AUTO_RETRY attempts to renegotiate a broken SSL connection (which in our testing is simply pulling out the network cable) and blocks the whole time.

To revert back to the original, fully non-blocking behaviour we disabled AUTO_RETRY and enabled PARTIAL_WRITE:

SSL_CTX_set_mode(amqp_socket->ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
SSL_CTX_clear_mode(amqp_socket->ctx, SSL_MODE_AUTO_RETRY);

And now we are back to expected non-blocking behaviour.

Would you be comfortable adding this into the code base when the SSL CTX is created? Alternatively, would you be able to declare the amqp_socket struct in the header so we can access the CTX to set these modes from our application code?

Thanks.
@david-mohr david-mohr changed the title OpenSSL 1.1.1 blocking issue OpenSSL 1.1.1 blocking on a non-blocking socket Dec 11, 2019
alanxz added a commit that referenced this issue Dec 11, 2019
@alanxz
ssl: correct mode-set in OpenSSL to
d47287f 
OpenSSL changed the default in v1.1.1 of SSL_MODE_AUTO_RETRY from off to
on. Because rabbitmq-c uses non-blocking calls internally, this must be
disabled.

Additionally turn on SSL_MODE_ENABLE_PARTIAL_WRITE to allow SSL_write to
return before a full frame is written. This is likely a latent bug that
hasn't been found until recently.

Fixes #586
alanxz added a commit that referenced this issue Dec 11, 2019
@alanxz
ssl: fix OpenSSL modes to correct non-blocking behavior
4d7a9cd 
OpenSSL changed the default in v1.1.1 of SSL_MODE_AUTO_RETRY from off to
on. Because rabbitmq-c uses non-blocking calls internally, this must be
disabled.

Additionally turn on SSL_MODE_ENABLE_PARTIAL_WRITE to allow SSL_write to
return before a full frame is written. This is likely a latent bug that
hasn't been found until recently.

Fixes #586
@alanxz alanxz mentioned this issue Dec 11, 2019
Merged
@alanxz
Copy link
Owner

alanxz commented Dec 11, 2019

Seems like a reasonable thing to fix. Fix is in #587

alanxz added a commit that referenced this issue Dec 11, 2019
@alanxz
ssl: fix OpenSSL modes to correct non-blocking behavior
50c9be0 
OpenSSL changed the default in v1.1.1 of SSL_MODE_AUTO_RETRY from off to
on. Because rabbitmq-c uses non-blocking calls internally, this must be
disabled.

Additionally turn on SSL_MODE_ENABLE_PARTIAL_WRITE to allow SSL_write to
return before a full frame is written. This is likely a latent bug that
hasn't been found until recently.

Fixes #586
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ssl: fix OpenSSL modes to correct non-blocking behavior alanxz/rabbitmq-c
2 participants
@alanxz @david-mohr