Merge pull request #68866 from ClickHouse/fix-ssl-handshake-error-process

Fix ssl handshake error processing
2024-09-19 16:20:50 +00:00 · 2024-08-25 20:23:24 +00:00 · 2024-08-25 20:23:24 +00:00 · 49f6112e4f
commit 49f6112e4f
parent 5c1cfeec4c f38f95a144
2 changed files with 11 additions and 0 deletions
--- a/base/poco/NetSSL_OpenSSL/src/SecureSocketImpl.cpp
+++ b/base/poco/NetSSL_OpenSSL/src/SecureSocketImpl.cpp
@ -311,6 +311,14 @@ int SecureSocketImpl::sendBytes(const void* buffer, int length, int flags)
 	while (mustRetry(rc, remaining_time));
 	if (rc <= 0)
 	{
+		// At this stage we still can have last not yet received SSL message containing SSL error
+		// so make a read to force SSL to process possible SSL error
+		if (SSL_get_error(_pSSL, rc) == SSL_ERROR_SYSCALL && SocketImpl::lastError() == POCO_ECONNRESET)
+		{
+			char c = 0;
+			SSL_read(_pSSL, &c, 1);
+		}
+
 		rc = handleError(rc);
 		if (rc == 0) throw SSLConnectionUnexpectedlyClosedException();
 	}
--- a/src/Client/Connection.cpp
+++ b/src/Client/Connection.cpp
@ -145,6 +145,9 @@ void Connection::connect(const ConnectionTimeouts & timeouts)
                /// work we need to pass host name separately. It will be send into TLS Hello packet to let
                /// the server know which host we want to talk with (single IP can process requests for multiple hosts using SNI).
                static_cast<Poco::Net::SecureStreamSocket*>(socket.get())->setPeerHostName(host);
+                /// we want to postpone SSL handshake until first read or write operation
+                /// so any errors during negotiation would be properly processed
+                static_cast<Poco::Net::SecureStreamSocket*>(socket.get())->setLazyHandshake(true);
 #else
                throw Exception(ErrorCodes::SUPPORT_IS_DISABLED, "tcp_secure protocol is disabled because poco library was built without NetSSL support.");
 #endif