[gnutls-dev] Re: SSL_connect and non-blocking i/o

[Simon Josefsson]

Jefferson Ogata <Jefferson.Ogata at noaa.gov> writes:

> First of all, my diff was not intended as a final patch, but merely to
> document that something is not implemented correctly in SSL_connect().

Understood, thanks.  By the look of the code, I think
libgnutls-openssl is a somewhat neglected part of GnuTLS.  It isn't
really a priority for me, but I'd be happy to install patches.

> As you can see, your SSL_connect() returns 0 regardless of the error, so
> the caller won't know that SSL_connect() needs to be called again.

A bug, it seems.

> In addition, you have this loop to call gnutls_protocol_set_priority()
> on every entrance to SSL_connect() regardless of the connection state.
> Is it safe/advisable to call gnutls SSL_connect() repeatedly?

Since the OpenSSL API says you should do that, the GnuTLS emulation
API should be the same.  I think it should work.

> Then there's the fact that you ignore the return value from the
> verification callback, fail to implement SSL_*_set_verify_depth(), fail
> to #define or implement SSL_VERIFY_PEER, SSL_VERIFY_IF_NO_PEER_CERT,
> SSL_VERIFY_CLIENT_ONCE, fail to do certificate preverification, fail to
> implement SSL_*_load_verify_locations(), but we can get to all that
> later (I'll be happy to help). :^)

I'm sure you are right here.  As they say, patches welcome. :-)

/Simon