noxxi
commented
7 years ago Thanks for the patch. I've merged the change but I've changed the behavior: In my opinion simoly using a SSL_startHandshake=0 should not be used as an indicator that the socket should not be closed in fatal error since these are different things. SSL_startHandshake=0 is usually used in non-blocking scenarios where the socket object is created and then accept_SSL or connect_SSL are done in a non-blocking way. A close of the socket on fatal errors is actually usually expected in this case. To get the behavior of not closing the socket I've added a new option SSL_keepSocketOnError in 1bacf7e instead.
Hi,
in a non-blocking environment with SSL_startHandshake=0, a later call to accept_SSL() or connect_SSL(), the handshake could fail. This ends in fatal_ssl_error() which does a close on the socket even if the tcp socket was opened successfully. After the socket is closed, the object can't be used anymore in IO::Poll, Epoll, etc. because a fileno() is called in there. One workaround would be to keep the fd before doing the handshake, an other would be to just do stop_SSL in fatal_ssl_error like the patch does. This is a much more straightforward way then keeping the fd elsewhere. Using SSL_startHandshake=0 sounds the same like upgrading a plain tcp socket, therefore IO::Socket::SSL could act the same way after handshake errors. Would be kind if you could add the patch in one of the next releases.
Andreas