[openssl-users] What is the best practise for shutdown SSL connections?
Serj
rasjv at yandex.com
Sun Feb 1 21:28:12 UTC 2015
Hi, Viktor.
01.02.2015, 23:50, "Viktor Dukhovni" <openssl-users at dukhovni.org>:
> On Sun, Feb 01, 2015 at 11:36:20PM +0300, Serj wrote:
>> 1. Return values for SSL_shutdown()
>
> 0 initially if shutdown alert sent, but not yet received from
> the peer.
>> I never get 2 as a return value!
>
> Why do you expect "2"? [ Note, something is screwing up itemized
> lists in the on-line documentation. Instead of showing item labels,
> item numbers are showing up instead. ]
Here: https://www.openssl.org/docs/ssl/SSL_shutdown.html I see only this:
-----------------------------------------------------
RETURN VALUES
The following return values can occur:
1. The shutdown is not yet finished. Call SSL_shutdown() for a second time, if a bidirectional shutdown shall be performed. The output of SSL_get_error may be misleading, as an erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred.
2. The shutdown was successfully completed. The "close notify" alert was sent and the peer's "close notify" alert was received.
<0
The shutdown was not successful because a fatal error occurred either at the protocol level or a connection failure occurred. It can also occur if action is need to continue the operation for non-blocking BIOs. Call SSL_get_error with the return value ret to find out the reason.
-----------------------------------------------------
> The nroff manpage says:
> RETURN VALUES
> The following return values can occur:
>
> 0 The shutdown is not yet finished. Call SSL_shutdown() for a second time, if a bidirectional
> shutdown shall be performed. The output of SSL_get_error(3) may be misleading, as an erroneous
> SSL_ERROR_SYSCALL may be flagged even though no error occurred.
>
> 1 The shutdown was successfully completed. The "close notify" alert was sent and the peer's "close
> notify" alert was received.
>
> -1 The shutdown was not successful because a fatal error occurred either at the protocol level or a
> connection failure occurred. It can also occur if action is need to continue the operation for
> non-blocking BIOs. Call SSL_get_error(3) with the return value ret to find out the reason.
Seems to be this is right.
This is exactly what I wanted to see here: https://www.openssl.org/docs/ssl/SSL_shutdown.html
>> 2. What is the best practise for shutdown SSL connections for CLIENT?
>
> Call ssl_shutdown() and if it returns 0, call it again processing
> WANT_READ/WANT_WRITE as required.
I use non-blocking sockets. That's why I got -1 as return value after first ssl_shutdown().
I process WANT_READ/WANT_WRITE. But some servers don't send "close_notify", so we never got a 1 as a return value.
We must be sure that server got a "close_notify" - this is the question! What is the best practise for that?
--
Best Regards,
Serj
More information about the openssl-users
mailing list