I would like to know the proper way to handle a new connection from a client using AcceptEx and OpenSSL. I have a perfectly good working server that uses AcceptEx with IO Completion Ports over regular HTTP. I would like to add OpenSSL support to it.

I have read several articles on the internet about using OpenSSL with non blocking sockets:

• IO Completion Ports and OpenSSL
• http://zzz.zggg.com/2007/12/22/ssl-server-with-openssl-memory-bio-a-k-a-prerequisite-to-asynchronous-openssl/
• http://marc.info/?l=openssl-users&m=99909952822335&w=2
• http://www.lenholgate.com/blog/2002/11/using-openssl-with-asynchronous-sockets.html

None of them seem to touch on how to do this because they are mostly concerned with the client side of the connection. AcceptEx establishes the socket connection AND returns you the first piece of data sent from the client. The first link I posted discusses how you should handle incoming data with IOCP. I have tried what is posted there without any luck so far. Basically what I’m seeing on my server is the following:

1. The accepted connection completion is received.
2. I create the SSL object with SSL_new(ctx)
3. I create the in and out BIO objects with BIO_new(BIO_s_mem()).
4. I set the BIOs in the SSL object by calling SSL_set_bio(ssl, bioIn, bioOut).
5. I call SSL_set_accept_state(ssl) to allow SSL_read and SSL_write to do negotiations.

I then proceed to trying to deal with the first buffer of data that was read by the AcceptEx call.

6. I call BIO_Write(bioIn, buf, len) to copy the read data into SSL.
7. I then check for pending handshake data on bioOut to see if that needs to be sent back to the client. When accepting a new connection I have never seen there be any data in bioOut at this point though.
8. I then call SSL_read(ssl, plainTextBuf, len) to try to decrypt the data that I put into bioIn during step 6. This always returns -1, and SSL_get_error returns ERROR_SSL_WANT_READ. As I understand it, this means that bioIn doesn’t have a full SSL record, so SSL needs more data from the client before it can decrypt anything.

Here is where I start to run into problems, and its where I think I need some direction. I have tried a number of things. If I repeatedly call SSL_read at this point, it will infinitely return ERROR_SSL_WANT_READ, presumably because using a memory BIO doesn’t actually communicate over the socket to receive any more data. Should I post a WSARecv call to await more data from the client?

I have also tried checking the bioOut buffer using BIO_read at this point to see if there is data I need to send back to the client. Indeed there is some, and I send this back using WSASend as well as posting another WSARecv call to wait for more data (in response to my send). This results in receiving some more data from the client (the WSARecv completes after the send goes through), so it appears as if the connection is progressing. However, when I handle this completed read, both SSL_read and BIO_read return ERROR_SSL_WANT_READ. So, I don’t have enough data to decrypt a full record, and there is nothing for me to send back to the client. Posting another WSARecv call in response to this situation does not receive any more data from the client either. I don’t know what SSL wants here.

I’m stuck right now, but I’ll keep trying more things. I will update this question with comments if I figure anything out.