From bc3723e970bf5e47d681f719f67899046554459c Mon Sep 17 00:00:00 2001
From: Gerhard Rieger <gerhard@dest-unreach.org>
Date: Tue, 12 Mar 2019 21:09:18 +0100
Subject: [PATCH] OpenSSL: clear SSL_MODE_AUTO_RETRY

---
 CHANGES       |  3 +++
 xio-openssl.c | 12 ++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/CHANGES b/CHANGES
index cc5d8f8..4381e78 100644
--- a/CHANGES
+++ b/CHANGES
@@ -77,6 +77,9 @@ Porting:
 	RES_AAONLY, RES_PRIMARY are deprecated. You can still enable them with
 	configure option --enable-res-deprecated.
 
+	New versions of OpenSSL preset SSL_MODE_AUTO_RETRY which may hang socat.
+	Solution: clear SSL_MODE_AUTO_RETRY when it is set.
+
 Testing:
 	test.sh: Show a warning when phase-1 (insecure phase) of a security
 	test fails
diff --git a/xio-openssl.c b/xio-openssl.c
index c9ec557..68b752f 100644
--- a/xio-openssl.c
+++ b/xio-openssl.c
@@ -1023,6 +1023,18 @@ cont_out:
    }
 #endif
 
+   /* It seems that OpenSSL-1.1.1 presets the mode differently.
+      Without correction socat might hang in SSL_read() */
+   {
+      long mode = 0;
+      mode = SSL_CTX_get_mode(*ctx);
+      if (mode & SSL_MODE_AUTO_RETRY) {
+	 Info("SSL_CTX mode has SSL_MODE_AUTO_RETRY set. Correcting..");
+	 Debug1("SSL_CTX_clean_mode(%p, SSL_MODE_AUTO_RETRY)", *ctx);
+	 SSL_CTX_clear_mode(*ctx, SSL_MODE_AUTO_RETRY);
+      }
+   }
+
    if (opt_cafile != NULL || opt_capath != NULL) {
       if (sycSSL_CTX_load_verify_locations(*ctx, opt_cafile, opt_capath) != 1) {
 	 int result;