return;
if (__ustream_ssl_connect(us) == U_SSL_OK) {
+
+ /* __ustream_ssl_connect() will also return U_SSL_OK when certificate
+ * verification failed!
+ *
+ * Applications may register a custom .notify_verify_error callback in the
+ * struct ustream_ssl which is called upon verification failures, but there
+ * is no straight forward way for the callback to terminate the connection
+ * initiation right away, e.g. through a true or false return value.
+ *
+ * Instead, existing implementations appear to set .eof field of the underlying
+ * ustream in the hope that this inhibits further operations on the stream.
+ *
+ * Declare this informal behaviour "official" and check for the state of the
+ * .eof member after __ustream_ssl_connect() returned, and do not write the
+ * pending data if it is set to true.
+ */
+
+ if (us->stream.eof)
+ return;
+
us->connected = true;
if (us->notify_connected)
us->notify_connected(us);
break;
ret = __ustream_ssl_read(us, buf, len);
+ if (ret == U_SSL_PENDING) {
+ ustream_poll(us->conn);
+ ret = __ustream_ssl_read(us, buf, len);
+ }
+
switch (ret) {
case U_SSL_PENDING:
return more;
if (!us->ssl)
return -ENOMEM;
+ conn->r.max_buffers = 4;
conn->next = &us->stream;
ustream_set_io(ctx, us->ssl, conn);
ustream_ssl_stream_init(us);
.context_set_crt_file = __ustream_ssl_set_crt_file,
.context_set_key_file = __ustream_ssl_set_key_file,
.context_add_ca_crt_file = __ustream_ssl_add_ca_crt_file,
+ .context_set_ciphers = __ustream_ssl_set_ciphers,
+ .context_set_require_validation = __ustream_ssl_set_require_validation,
+ .context_set_debug = __ustream_ssl_set_debug,
.context_free = __ustream_ssl_context_free,
.init = _ustream_ssl_init,
.set_peer_cn = _ustream_ssl_set_peer_cn,