[openssl-users] What is the best practise for shutdown SSL connections?
Serj
rasjv at yandex.com
Mon Feb 2 06:23:19 UTC 2015
Hi, Viktor.
02.02.2015, 02:08, "Viktor Dukhovni" <openssl-users at dukhovni.org>:
> On Mon, Feb 02, 2015 at 01:32:42AM +0300, Serj wrote:
>> But what about the best practice for shutdown of connection on the client side?
>
> http://tools.ietf.org/html/rfc5246#section-7.2.1
I read RFC. Have read "7.2.1. Closure Alerts" once again.
But this is the normative document. I ask: what in practise in terms of OpenSSL API?
As I already said some servers don't send "close_notify" and just close the connection.
So I think the shutdown algorithm for SSL client must be the following:
-------------------------------------------------------------------------
//...
//all data was obtained from the server
if (SSL_shutdown(ssl)==1)
{
closesocket(s)
goto l_shutdown_complete;
}
shutdown(s,SD_SEND);
//set timeout for getting "close_notify" from SERVER
//in the cycle... waiting events from socket or timeout (which comes first):
//
//1. process SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE (in this case only SSL_ERROR_WANT_READ because seems to be SSL_shutdown() send "close_notify" alert to SERVER), call SSL_shutdown() once again and examine it's return value for 1 OR examine SSL_get_shutdown() for (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)
//
//2. Wait FD_CLOSE
//
//3. Timeout
//if one of three happens closesocket(s)
-------------------------------------------------------------------------
>> And what about the best practice for shutdown of connection on the server
>> side? Is it mandatory to wait "close_notify" from client to be able to
>> save valid session for this client or not? If server close the connection
>> after all data has been sent to the client and don't receive "close_notify",
>> will be the session kept?
>
> http://tools.ietf.org/html/rfc5246#section-7.2.1
I ask: what in practise in terms of OpenSSL API?
If SERVER close the connection after all data has been sent to the client and will not wait for "close_notify" alert from CLIENT, will be the session kept and valid in OpenSLL API?
I mean, can CLIENT then reuse this session, if it doesn't send "close_notify" alert? Or this session will be invalid?
--
Best Regards,
Serj
More information about the openssl-users
mailing list