1=pod 2 3=head1 NAME 4 5SSL_get_error - obtain result code for TLS/SSL I/O operation 6 7=head1 SYNOPSIS 8 9 #include <openssl/ssl.h> 10 11 int SSL_get_error(const SSL *ssl, int ret); 12 13=head1 DESCRIPTION 14 15SSL_get_error() returns a result code (suitable for the C "switch" 16statement) for a preceding call to SSL_connect(), SSL_accept(), SSL_do_handshake(), 17SSL_read_ex(), SSL_read(), SSL_peek_ex(), SSL_peek(), SSL_shutdown(), 18SSL_write_ex() or SSL_write() on B<ssl>. The value returned by that TLS/SSL I/O 19function must be passed to SSL_get_error() in parameter B<ret>. 20 21In addition to B<ssl> and B<ret>, SSL_get_error() inspects the 22current thread's OpenSSL error queue. Thus, SSL_get_error() must be 23used in the same thread that performed the TLS/SSL I/O operation, and no 24other OpenSSL function calls should appear in between. The current 25thread's error queue must be empty before the TLS/SSL I/O operation is 26attempted, or SSL_get_error() will not work reliably. 27 28=head1 NOTES 29 30Some TLS implementations do not send a close_notify alert on shutdown. 31 32On an unexpected EOF, versions before OpenSSL 3.0 returned 33B<SSL_ERROR_SYSCALL>, nothing was added to the error stack, and errno was 0. 34Since OpenSSL 3.0 the returned error is B<SSL_ERROR_SSL> with a meaningful 35error on the error stack (SSL_R_UNEXPECTED_EOF_WHILE_READING). This error reason 36code may be used for control flow decisions (see the man page for 37L<ERR_GET_REASON(3)> for further details on this). 38 39=head1 RETURN VALUES 40 41The following return values can currently occur: 42 43=over 4 44 45=item SSL_ERROR_NONE 46 47The TLS/SSL I/O operation completed. This result code is returned 48if and only if B<ret E<gt> 0>. 49 50=item SSL_ERROR_ZERO_RETURN 51 52The TLS/SSL peer has closed the connection for writing by sending the 53close_notify alert. 54No more data can be read. 55Note that B<SSL_ERROR_ZERO_RETURN> does not necessarily 56indicate that the underlying transport has been closed. 57 58This error can also appear when the option B<SSL_OP_IGNORE_UNEXPECTED_EOF> 59is set. See L<SSL_CTX_set_options(3)> for more details. 60 61=item SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE 62 63The operation did not complete and can be retried later. 64 65For non-QUIC SSL objects, B<SSL_ERROR_WANT_READ> is returned when the last 66operation was a read operation from a nonblocking B<BIO>. 67It means that not enough data was available at this time to complete the 68operation. 69If at a later time the underlying B<BIO> has data available for reading the same 70function can be called again. 71 72SSL_read() and SSL_read_ex() can also set B<SSL_ERROR_WANT_READ> when there is 73still unprocessed data available at either the B<SSL> or the B<BIO> layer, even 74for a blocking B<BIO>. 75See L<SSL_read(3)> for more information. 76 77For non-QUIC SSL objects, B<SSL_ERROR_WANT_WRITE> is returned when the last 78operation was a write to a nonblocking B<BIO> and it was unable to send all data 79to the B<BIO>. When the B<BIO> is writable again, the same function can be 80called again. 81 82Note that the retry may again lead to an B<SSL_ERROR_WANT_READ> or 83B<SSL_ERROR_WANT_WRITE> condition. 84There is no fixed upper limit for the number of iterations that 85may be necessary until progress becomes visible at application 86protocol level. 87 88For QUIC SSL objects, the meaning of B<SSL_ERROR_WANT_READ> and 89B<SSL_ERROR_WANT_WRITE> have different but largely compatible semantics. Since 90QUIC implements its own flow control and uses UDP datagrams, backpressure 91conditions in terms of the underlying BIO providing network I/O are not directly 92relevant to the circumstances in which these errors are produced. In particular, 93B<SSL_ERROR_WANT_WRITE> indicates that the OpenSSL internal send buffer for a 94given QUIC stream has been filled. Likewise, B<SSL_ERROR_WANT_READ> indicates 95that the OpenSSL internal receive buffer for a given QUIC stream is empty. 96 97It is safe to call SSL_read() or SSL_read_ex() when more data is available 98even when the call that set this error was an SSL_write() or SSL_write_ex(). 99However, if the call was an SSL_write() or SSL_write_ex(), it should be called 100again to continue sending the application data. If you get B<SSL_ERROR_WANT_WRITE> 101from SSL_write() or SSL_write_ex() then you should not do any other operation 102that could trigger B<IO> other than to repeat the previous SSL_write() call. 103 104For socket B<BIO>s (e.g. when SSL_set_fd() was used), select() or 105poll() on the underlying socket can be used to find out when the 106TLS/SSL I/O function should be retried. 107 108Caveat: Any TLS/SSL I/O function can lead to either of 109B<SSL_ERROR_WANT_READ> and B<SSL_ERROR_WANT_WRITE>. 110In particular, 111SSL_read_ex(), SSL_read(), SSL_peek_ex(), or SSL_peek() may want to write data 112and SSL_write() or SSL_write_ex() may want to read data. 113This is mainly because 114TLS/SSL handshakes may occur at any time during the protocol (initiated by 115either the client or the server); SSL_read_ex(), SSL_read(), SSL_peek_ex(), 116SSL_peek(), SSL_write_ex(), and SSL_write() will handle any pending handshakes. 117 118=item SSL_ERROR_WANT_CONNECT, SSL_ERROR_WANT_ACCEPT 119 120The operation did not complete; the same TLS/SSL I/O function should be 121called again later. The underlying BIO was not connected yet to the peer 122and the call would block in connect()/accept(). The SSL function should be 123called again when the connection is established. These messages can only 124appear with a BIO_s_connect() or BIO_s_accept() BIO, respectively. 125In order to find out, when the connection has been successfully established, 126on many platforms select() or poll() for writing on the socket file descriptor 127can be used. 128 129=item SSL_ERROR_WANT_X509_LOOKUP 130 131The operation did not complete because an application callback set by 132SSL_CTX_set_client_cert_cb() has asked to be called again. 133The TLS/SSL I/O function should be called again later. 134Details depend on the application. 135 136=item SSL_ERROR_WANT_ASYNC 137 138The operation did not complete because an asynchronous engine is still 139processing data. This will only occur if the mode has been set to SSL_MODE_ASYNC 140using L<SSL_CTX_set_mode(3)> or L<SSL_set_mode(3)> and an asynchronous capable 141engine is being used. An application can determine whether the engine has 142completed its processing using select() or poll() on the asynchronous wait file 143descriptor. This file descriptor is available by calling 144L<SSL_get_all_async_fds(3)> or L<SSL_get_changed_async_fds(3)>. The TLS/SSL I/O 145function should be called again later. The function B<must> be called from the 146same thread that the original call was made from. 147 148=item SSL_ERROR_WANT_ASYNC_JOB 149 150The asynchronous job could not be started because there were no async jobs 151available in the pool (see ASYNC_init_thread(3)). This will only occur if the 152mode has been set to SSL_MODE_ASYNC using L<SSL_CTX_set_mode(3)> or 153L<SSL_set_mode(3)> and a maximum limit has been set on the async job pool 154through a call to L<ASYNC_init_thread(3)>. The application should retry the 155operation after a currently executing asynchronous operation for the current 156thread has completed. 157 158=item SSL_ERROR_WANT_CLIENT_HELLO_CB 159 160The operation did not complete because an application callback set by 161SSL_CTX_set_client_hello_cb() has asked to be called again. 162The TLS/SSL I/O function should be called again later. 163Details depend on the application. 164 165=item SSL_ERROR_SYSCALL 166 167Some non-recoverable, fatal I/O error occurred. The OpenSSL error queue may 168contain more information on the error. For socket I/O on Unix systems, consult 169B<errno> for details. If this error occurs then no further I/O operations should 170be performed on the connection and SSL_shutdown() must not be called. 171 172This value can also be returned for other errors, check the error queue for 173details. 174 175=item SSL_ERROR_SSL 176 177A non-recoverable, fatal error in the SSL library occurred, usually a protocol 178error. The OpenSSL error queue contains more information on the error. If this 179error occurs then no further I/O operations should be performed on the 180connection and SSL_shutdown() must not be called. 181 182=back 183 184=head1 SEE ALSO 185 186L<ssl(7)> 187 188=head1 HISTORY 189 190The SSL_ERROR_WANT_ASYNC error code was added in OpenSSL 1.1.0. 191The SSL_ERROR_WANT_CLIENT_HELLO_CB error code was added in OpenSSL 1.1.1. 192 193=head1 COPYRIGHT 194 195Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved. 196 197Licensed under the Apache License 2.0 (the "License"). You may not use 198this file except in compliance with the License. You can obtain a copy 199in the file LICENSE in the source distribution or at 200L<https://www.openssl.org/source/license.html>. 201 202=cut 203