Learn about Centmin Mod LEMP Stack today
Become a Member

OpenSSL OpenSSL 1.1.1 Released with TLS 1.3 Support

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Sep 11, 2018.

  1. eva2000

    eva2000 Administrator Staff Member

    53,461
    12,128
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,668
    Local Time:
    12:18 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    FYI, the bbode isn't QUOTEB but CODEB ;)

    believe it's from this check openssl does openssl/openssl
    Code (Text):
        /*
         * ensure that if we end up with a smaller value of data to write out
         * than the original len from a write which didn't complete for
         * non-blocking I/O and also somehow ended up avoiding the check for
         * this in ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as it must never be
         * possible to end up with (len-tot) as a large number that will then
         * promptly send beyond the end of the users buffer ... so we trap and
         * report the error in a way the user will notice
         */
        if ((len < s->rlayer.wnum)
            || ((wb->left != 0) && (len < (s->rlayer.wnum + s->rlayer.wpend_tot)))) {
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_WRITE_BYTES,
                     SSL_R_BAD_LENGTH);
            return -1;
        }

    Not a coder or that familiar with OpenSSL coding so not entirely sure but looks like it's related SSL buffer used by OpenSSL and check to ensure the amount of data written out is not larger that the amount of application data held and related to retry for writes i.e. when application data is too long/large to fit into a single TLS record, usually the application data is split into smaller chunks and processed separately. The SSL buffer holds the current application data that is being held for writing - including the length of that application data. Now if for some reason the write fails i.e. blocking IO, then the the write is retried again but this time the application data length has changed and this error message/code checks to ensure the amount of data written out isn't larger than the application data length held by SSL buffer.


    So yes, probably can ignore and OpenSSL re-tries the write again.