I'm CTO of Netburner. (Also original author of NetBurners written from scratch SSL/TLS)
We are porting to use WolfSSL...
(Why are we porting? because we found that keeping up with the evolution of TLS standards and ciphers etc.. was more work than the internal economic value it was creating. So we tried to solve this by porting to XXXXSSL.
Then almost immediately hit the wall with features we needed not supported by XXXX....
So we are trying again to use an external library (wolfSSL in this case) with the goal of not having a full time engineer work on nothing but TLS.
The reason for my question is almost perfectly encapsulated in the forum comments I posted in my initial request...
https://www.wolfssl.com/forums/topic393 … ocket.html
Basically we a TCP system that can generate notification of new data, and write buffer changing from block to unblocked...
I also have customer written code that operates on an FD that needs all of the select (read,write,error) functionality...
I need to connect the two realms without creating a very expensive task for each SSL connection....
So TCP tells me there is new data available to read on the TCP socket associated with the WolfSSL connection...
I give that data to the wolfSSL system and as a result of that data I might or might not have generated decoded data for the customer/user code to read. So until that TCP data is processed I don't know if I can tell the customer/user FD if there is data avail , an error or whatever...
One grossly inefficient way to do this would be to start a task/thread for each connection...
I'm looking for how I can multiplex each of these TCP notifications saying read data is available in a single SSL managment thread to marshal data from TCP throught the WolfSSL to/from the customer/user connections.
Both the XXXXSSL and NetBurners internally written TLS code we are porting away from had that capability nativity.
I also need to extend the concept from just the read channel to write and accept and connect so the whole system can run asynchronously.
If I can't make this mode of operation work then I will have to seek other solutions, as the alternative is to tell 10K customers they must rewrite their code...
I've looked at the example pointed to in your previous response and it seems like it only manages a single connection asyncronously, and does not do an asynchronous accept....
I've spent close to a week digging in your code and I think the solution I outlined above will work...
We are in the middle of experimenting in this space....
I do have one specific question I don't exactly understand...
lets say I call wolfSSL_write with data to write...so much data its going to need to be in multiple TLS messages...
There are three possible outcomes...
1)wolfSSL_write is able to encrypt the all of the requested write data into a block and ship ALL of that data out via TCP.
2)wolfSSL_write is able to encrypt the all of the requested write data into a block and ship SOME of that data out via TCP.
with subsequent writes to the TCP system returning would block...
3)wolfSSL_write is able to encrypt some of the requested write data into a block and ship SOME of that data out via TCP.
with subsequent writes to the TCP system returning would block...
So operating in an asynchronous manner in case 1, I'd expect the wolfSSL_write function to return the number of bytes written, matching the number requested...
In 2,3 I'd expect an error of
SSL_ERROR_WANT_WRITE
, but 2,3 are DIFFERNT!
How do I tell the difference between case 2 and case 3....
When I later get notified that the TCP connection has cleared its write backlog....
how do I recover for case 2 and case 3...
This is especially problematic when the write request will span multiple TLS encrypted data blocks...