处理SSL客户端未读取所有数据

首先，一个警告:基于SSL的非阻塞I/O是一个相当复杂的API，很难正确使用。特别是，SSL层有时需要在写入用户数据之前读取内部数据(反之亦然)，并且调用者的代码应该能够根据从它所进行的SSL调用获得的错误代码反馈来处理这些数据。可以使其正确工作，但这并不容易或明显——您事实上需要在代码中实现一个状态机，该状态机与SSL库中的状态机相呼应。

下面是所需逻辑的简化版本(它是从这个文件中的Write()方法中提取的，该方法是这个库的一部分，如果您想看到一个完整的，工作的实现)

enum {
   SSL_STATE_READ_WANTS_READABLE_SOCKET   = 0x01,
   SSL_STATE_READ_WANTS_WRITEABLE_SOCKET  = 0x02,
   SSL_STATE_WRITE_WANTS_READABLE_SOCKET  = 0x04,
   SSL_STATE_WRITE_WANTS_WRITEABLE_SOCKET = 0x08
};
// a bit-chord of SSL_STATE_* bits to keep track of what 
// the SSL layer needs us to do next before it can make more progress
uint32_t _sslState = 0;
// Note that this method returns the number of bytes sent, or -1
// if there was a fatal error.  So if this method returns 0 that just
// means that this function was not able to send any bytes at this time.
int32_t SSLSocketDataIO :: Write(const void *buffer, uint32 size)
{
   int32_t bytes = SSL_write(_ssl, buffer, size);
   if (bytes > 0) 
   {
      // SSL was able to send some bytes, so clear the relevant SSL-state-flags
      _sslState &= ~(SSL_STATE_WRITE_WANTS_READABLE_SOCKET | SSL_STATE_WRITE_WANTS_WRITEABLE_SOCKET);
   }
   else if (bytes == 0) 
   {
      return -1;  // the SSL connection was closed, so return failure
   }
   else
   {
      // The SSL layer's internal needs aren't being met, so we now have to
      // ask it what its problem is, then give it what it wants.  :P
      int err = SSL_get_error(_ssl, bytes);
      if (err == SSL_ERROR_WANT_READ)
      {
         // SSL can't write anything more until the socket becomes readable,
         // so we need to go back to our event loop, wait until the
         // socket select()'s as readable, and then call SSL_Write() again.
         _sslState |=  SSL_STATE_WRITE_WANTS_READABLE_SOCKET;
         _sslState &= ~SSL_STATE_WRITE_WANTS_WRITEABLE_SOCKET;
         bytes = 0;  // Tell the caller we weren't able to send anything yet
      }
      else if (err == SSL_ERROR_WANT_WRITE)
      {
         // SSL can't write anything more until the socket becomes writable,
         // so we need to go back to our event loop, wait until the
         // socket select()'s as writeable, and then call SSL_Write() again.
         _sslState &= ~SSL_STATE_WRITE_WANTS_READABLE_SOCKET;
         _sslState |=  SSL_STATE_WRITE_WANTS_WRITEABLE_SOCKET;
         bytes = 0;  // Tell the caller we weren't able to send anything yet
      }
      else
      {
         // SSL had some other problem I don't know how to deal with,
         // so just print some debug output and then return failure.
         fprintf(stderr,"SSL_write() ERROR!");
         ERR_print_errors_fp(stderr);
      }
   }
   return bytes;  // Returns the number of bytes we actually sent
}

我想你的问题是

restrongize -= bytes_sent;

你应该做restrongize -= tmp_bytes_sent;

if (tmp_bytes_sent < 0){
            std::cout << tmp_bytes_sent << std::endl;
           //its an error condition
          return bytes_sent;
        }

我不知道这是否会解决问题，但你粘贴的代码有上述问题

当我写的数据多于客户端读的数据时，我的服务器崩溃了。

不，它不会，除非你严重错误地编码了你没有在这里发布的其他东西。它要么永远循环，要么得到一个错误:可能是ECONNRESET，这意味着客户端已经按照您描述的行为，并且您已经检测到它，所以您应该关闭连接并忘记他。相反，你只是在永远循环，试图将数据发送到一个断开的连接，这是永远不会发生的。

当出现错误时，仅仅打印一个-1并没有多大用处。您应该打印错误，perror()或errno或strerror()。

说到永远循环，不要这样循环。SSL_write()可以返回0，而您根本没有处理它:这将导致无限循环。请参阅下面David Schwartz的评论

注意，你绝对应该使用第二种方法。OpenSSL需要知道套接字处于非阻塞模式。

两者都有各自的缺点

如?

如另一个答案所述，

rest_size -= bytes_sent;

rest_size -= tmp_bytes_sent;