Found another gem in the code-base I've been given to troubleshoot.

Let's call recv(), get the TLS encrypted message, and then call BIO_write() and SSL_read() instead of offloading it to OpenSSL.

But if we use a library we lose control of the data flow \s

@msdsk "we can't change that, our framework does not have this option"

↑↑ I've heard it far too many times. Leading to libraries/frameworks being raped the amateur way.

Your comment has merit. But it's not a rule that it's OK to give away control of the flow.

@msdsk I've done it myself as well. Adding a cronjob to launch GDB, attach to a Java process to close a FD linked to a TCP socket to an HTTP resource, because there was no way to specify a TCP Read Timeout in the framework we used.

@msdsk I hate to lose control of d data flow too, but sometimes we have to for one or another reason... and that freaks me out...but hey it's not my business after all ;}

OpenSSL has a library...

Or what is meant by flow?

I could understand if someone started a CLI to run openssl with data given to stdin that that is a complete loss of data flow...
("Things I've seen" trademark)

But in a library? Why...?