Get the most out of your Centmin Mod LEMP stack
Become a Member

OpenSSL OpenSSL 1.1.1 Released with TLS 1.3 Support

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Sep 11, 2018.

  1. eva2000

    eva2000 Administrator Staff Member

    37,353
    8,162
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,563
    Local Time:
    5:15 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    FYI, the bbode isn't QUOTEB but CODEB ;)

    believe it's from this check openssl does openssl/openssl
    Code (Text):
        /*
         * ensure that if we end up with a smaller value of data to write out
         * than the original len from a write which didn't complete for
         * non-blocking I/O and also somehow ended up avoiding the check for
         * this in ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as it must never be
         * possible to end up with (len-tot) as a large number that will then
         * promptly send beyond the end of the users buffer ... so we trap and
         * report the error in a way the user will notice
         */
        if ((len < s->rlayer.wnum)
            || ((wb->left != 0) && (len < (s->rlayer.wnum + s->rlayer.wpend_tot)))) {
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_WRITE_BYTES,
                     SSL_R_BAD_LENGTH);
            return -1;
        }

    Not a coder or that familiar with OpenSSL coding so not entirely sure but looks like it's related SSL buffer used by OpenSSL and check to ensure the amount of data written out is not larger that the amount of application data held and related to retry for writes i.e. when application data is too long/large to fit into a single TLS record, usually the application data is split into smaller chunks and processed separately. The SSL buffer holds the current application data that is being held for writing - including the length of that application data. Now if for some reason the write fails i.e. blocking IO, then the the write is retried again but this time the application data length has changed and this error message/code checks to ensure the amount of data written out isn't larger than the application data length held by SSL buffer.

    So yes, probably can ignore and OpenSSL re-tries the write again.
     
    • Like Like x 2
..