From c9c385d2fea2be902b0f27b88e76f0bfd7f3eb18 Mon Sep 17 00:00:00 2001
From: Nanang Izzuddin <nanang@teluu.com>
Date: Wed, 25 Dec 2024 16:09:07 +0900
Subject: [PATCH 1/2] Fix SSL to continue decrypting data after renego
 completes

---
 pjlib/src/pj/ssl_sock_imp_common.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pjlib/src/pj/ssl_sock_imp_common.c b/pjlib/src/pj/ssl_sock_imp_common.c
index f1d1db63dd..811c960fd1 100644
--- a/pjlib/src/pj/ssl_sock_imp_common.c
+++ b/pjlib/src/pj/ssl_sock_imp_common.c
@@ -867,6 +867,11 @@ static pj_bool_t ssock_on_data_read (pj_ssl_sock_t *ssock,
                                      "Failed to flush delayed send"));
                         goto on_error;
                     }
+
+                    /* If renego has been completed, continue reading data */
+                    if (status == PJ_SUCCESS)
+                        continue;
+
                 } else if (status != PJ_EPENDING) {
                     PJ_PERROR(1,(ssock->pool->obj_name, status, 
                                  "Renegotiation failed"));

From 5bb2d607caf0f87ec4638a5489417601490ac5fd Mon Sep 17 00:00:00 2001
From: Nanang Izzuddin <nanang@teluu.com>
Date: Wed, 25 Dec 2024 21:51:11 +0900
Subject: [PATCH 2/2] Update SSL socket with OpenSSL backend to return PJ_EEOF
 only when renegotiation is needed (or not completed).

---
 pjlib/src/pj/ssl_sock_ossl.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/pjlib/src/pj/ssl_sock_ossl.c b/pjlib/src/pj/ssl_sock_ossl.c
index 67f386d00d..8524c43b79 100644
--- a/pjlib/src/pj/ssl_sock_ossl.c
+++ b/pjlib/src/pj/ssl_sock_ossl.c
@@ -2476,7 +2476,9 @@ static pj_status_t ssl_read(pj_ssl_sock_t *ssock, void *data, int *size)
         /* SSL might just return SSL_ERROR_WANT_READ in 
          * re-negotiation.
          */
-        if (err != SSL_ERROR_NONE && err != SSL_ERROR_WANT_READ) {
+        if (err != SSL_ERROR_NONE && err != SSL_ERROR_WANT_READ &&
+            err != SSL_ERROR_ZERO_RETURN)
+        {
             if (err == SSL_ERROR_SYSCALL && size_ == -1 &&
                 ERR_peek_error() == 0 && errno == 0)
             {
@@ -2499,9 +2501,11 @@ static pj_status_t ssl_read(pj_ssl_sock_t *ssock, void *data, int *size)
             }
         }
         
-        pj_lock_release(ssock->write_mutex);
-        /* Need renegotiation */
-        return PJ_EEOF;
+        /* Return PJ_EEOF when SSL needs renegotiation */
+        if (!SSL_is_init_finished(ossock->ossl_ssl)) {
+            pj_lock_release(ssock->write_mutex);
+            return PJ_EEOF;
+        }
     }
 
     pj_lock_release(ssock->write_mutex);