[fix] read_nonblock(exception: false) raising SSLErrorWaitReadable

`readAndUnwrap()` called doHandshake(blocking) assuming `exception = true`

When a post-handshake TLS event (e.g. TLS 1.3 NewSessionTicket) triggered
handshake during a non-blocking read, waitSelect raised SSLErrorWaitReadable
instead of returning :wait_readable.

Author: kares

src/main/java/org/jruby/ext/openssl/SSLSocket.java

@@ -553,10 +553,6 @@ private static void writeWouldBlock(final Ruby runtime, final boolean exception,
         result[0] = WRITE_WOULD_BLOCK_RESULT;
     }
 
-    private void doHandshake(final boolean blocking) throws IOException {
-        doHandshake(blocking, true);
-    }
-
     // might return :wait_readable | :wait_writable in case (true, false)
     private IRubyObject doHandshake(final boolean blocking, final boolean exception) throws IOException {
         while (true) {
@@ -706,11 +702,15 @@ public int write(ByteBuffer src, boolean blocking) throws SSLException, IOExcept
     }
 
     public int read(final ByteBuffer dst, final boolean blocking) throws IOException {
+        return read(dst, blocking, true);
+    }
+
+    private int read(final ByteBuffer dst, final boolean blocking, final boolean exception) throws IOException {
         if ( initialHandshake ) return 0;
         if ( engine.isInboundDone() ) return -1;
 
         if ( ! appReadData.hasRemaining() ) {
-            int appBytesProduced = readAndUnwrap(blocking);
+            int appBytesProduced = readAndUnwrap(blocking, exception);
             if (appBytesProduced == -1 || appBytesProduced == 0) {
                 return appBytesProduced;
             }
@@ -722,6 +722,10 @@ public int read(final ByteBuffer dst, final boolean blocking) throws IOException
     }
 
     private int readAndUnwrap(final boolean blocking) throws IOException {
+        return readAndUnwrap(blocking, true);
+    }
+
+    private int readAndUnwrap(final boolean blocking, final boolean exception) throws IOException {
         final int bytesRead = socketChannelImpl().read(netReadData);
         if ( bytesRead == -1 ) {
             if ( ! netReadData.hasRemaining() ||
@@ -769,7 +773,7 @@ private int readAndUnwrap(final boolean blocking) throws IOException {
                 handshakeStatus == SSLEngineResult.HandshakeStatus.NEED_TASK ||
                 handshakeStatus == SSLEngineResult.HandshakeStatus.NEED_WRAP ||
                 handshakeStatus == SSLEngineResult.HandshakeStatus.FINISHED ) ) {
-            doHandshake(blocking);
+            doHandshake(blocking, exception);
         }
         return appReadData.remaining();
     }
@@ -852,7 +856,7 @@ private IRubyObject sysreadImpl(final ThreadContext context, final IRubyObject l
                 if ( engine == null ) {
                     read = socketChannelImpl().read(dst);
                 } else {
-                    read = read(dst, blocking);
+                    read = read(dst, blocking, exception);
                 }
 
                 if ( read == -1 ) {

src/test/ruby/ssl/test_write_flush.rb

@@ -138,11 +138,6 @@ def read_with_timeout(ssl, timeout_sec)
             # we've received a plausible amount we can stop.
             break if response.include?("OK:")  && response.bytesize >= 67
           end
-        rescue IO::WaitReadable
-          # Can occur despite exception: false and IO.select — TLS protocol
-          # data (e.g. post-handshake messages) made the socket look readable
-          # but no application data is available yet.
-          next
         rescue EOFError
           break
         end