[openssl-users] What is the best practise for shutdown SSL connections?

Serj rasjv at yandex.com
Mon Feb 2 06:23:19 UTC 2015


Hi, Viktor.

02.02.2015, 02:08, "Viktor Dukhovni" <openssl-users at dukhovni.org>:
> On Mon, Feb 02, 2015 at 01:32:42AM +0300, Serj wrote:
>>  But what about the best practice for shutdown of connection on the client side?
>
>     http://tools.ietf.org/html/rfc5246#section-7.2.1

I read RFC. Have read "7.2.1. Closure Alerts" once again.
But this is the normative document. I ask: what in practise in terms of OpenSSL API?

As I already said some servers don't send "close_notify" and just close the connection.

So I think the shutdown algorithm for SSL client must be the following:
-------------------------------------------------------------------------
//...
//all data was obtained from the server

if (SSL_shutdown(ssl)==1)
{
  closesocket(s)
  goto l_shutdown_complete;
}

shutdown(s,SD_SEND);

//set timeout for getting "close_notify" from SERVER
//in the cycle... waiting events from socket or timeout (which comes first):
//
//1. process SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE (in this case only SSL_ERROR_WANT_READ because seems to be SSL_shutdown() send "close_notify" alert to SERVER), call SSL_shutdown() once again and examine it's return value for 1 OR examine SSL_get_shutdown() for (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)
//
//2. Wait FD_CLOSE
//
//3. Timeout

//if one of three happens closesocket(s)
-------------------------------------------------------------------------



>>  And what about the best practice for shutdown of connection on the server
>>  side? Is it mandatory to wait "close_notify" from client to be able to
>>  save valid session for this client or not? If server close the connection
>>  after all data has been sent to the client and don't receive "close_notify",
>>  will be the session kept?
>
>     http://tools.ietf.org/html/rfc5246#section-7.2.1

I ask: what in practise in terms of OpenSSL API?
If SERVER close the connection after all data has been sent to the client and will not wait for "close_notify" alert from CLIENT, will be the session kept and valid in OpenSLL API?
I mean, can CLIENT then reuse this session, if it doesn't send "close_notify" alert? Or this session will be invalid?

--
Best Regards,

Serj


More information about the openssl-users mailing list