<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:335230910;
mso-list-type:hybrid;
mso-list-template-ids:1347069704 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1
{mso-list-id:363092696;
mso-list-type:hybrid;
mso-list-template-ids:-931730630 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='color:#1F497D'>@Karl, thanks, I’m not sure of anything. This was my first OpenSSL project and I just hacked on it until it “worked.” It’s been working for years but now we are seeing a re-connection error.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>So, it sounds like<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l1 level1 lfo3'><![if !supportLists]><span style='font-family:Symbol;color:#1F497D'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='color:#1F497D'>Do the SSL_shutdown() a second time if it returns 0.<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l1 level1 lfo3'><![if !supportLists]><span style='font-family:Symbol;color:#1F497D'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='color:#1F497D'>Lose the SSL_clear()<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l1 level1 lfo3'><![if !supportLists]><span style='font-family:Symbol;color:#1F497D'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='color:#1F497D'>There is an SSL_free() in there following the snippet I pasted – leave it in there<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l1 level1 lfo3'><![if !supportLists]><span style='font-family:Symbol;color:#1F497D'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='color:#1F497D'>Clean up the underlying socket appropriately. Looks like perhaps shutdown(socket, SD_BOTH) is the Windows equivalent of SHUT_RDWR – followed by closesocket()<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Thanks again!<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><p class=MsoNormal><i><span style='color:#1F497D'>Charles<o:p></o:p></span></i></p></div><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> openssl-users [mailto:openssl-users-bounces@openssl.org] <b>On Behalf Of </b>Karl Denninger<br><b>Sent:</b> Friday, January 11, 2019 10:04 AM<br><b>To:</b> openssl-users@openssl.org<br><b>Subject:</b> Re: [openssl-users] Close TCP socket after SSL_clear()?<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p><o:p> </o:p></p><div><p class=MsoNormal>On 1/10/2019 17:07, Charles Mills wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal>On Windows, for a new session, I am issuing a Windows accept() followed by SSL_new(), SSL_set_fd() and so forth.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>When the session sees some sort of an abnormal receive condition, I am doing<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.5pt;font-family:Consolas'> </span><span style='font-size:9.5pt;font-family:Consolas;color:blue'>int</span><span style='font-size:9.5pt;font-family:Consolas'> </span><b><span style='font-size:9.5pt;font-family:Consolas;color:navy'>retCode</span></b><span style='font-size:9.5pt;font-family:Consolas'> = </span><span style='font-size:9.5pt;font-family:Consolas;color:#880000'>SSL_get_shutdown</span><span style='font-size:9.5pt;font-family:Consolas'>(</span><span style='font-size:9.5pt;font-family:Consolas;color:navy'>sessionSSL</span><span style='font-size:9.5pt;font-family:Consolas'>);</span><o:p></o:p></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.5pt;font-family:Consolas'> </span><span style='font-size:9.5pt;font-family:Consolas;color:blue'>if</span><span style='font-size:9.5pt;font-family:Consolas'> ( </span><b><span style='font-size:9.5pt;font-family:Consolas;color:navy'>retCode</span></b><span style='font-size:9.5pt;font-family:Consolas'> & </span><span style='font-size:9.5pt;font-family:Consolas;color:#A000A0'>SSL_RECEIVED_SHUTDOWN</span><span style='font-size:9.5pt;font-family:Consolas'> )</span><o:p></o:p></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.5pt;font-family:Consolas'> {</span><o:p></o:p></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.5pt;font-family:Consolas'> </span><span style='font-size:9.5pt;font-family:Consolas;color:#880000'>SSL_shutdown</span><span style='font-size:9.5pt;font-family:Consolas'>(</span><span style='font-size:9.5pt;font-family:Consolas;color:navy'>sessionSSL</span><span style='font-size:9.5pt;font-family:Consolas'>);</span><o:p></o:p></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.5pt;font-family:Consolas'> }</span><o:p></o:p></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.5pt;font-family:Consolas'> </span><span style='font-size:9.5pt;font-family:Consolas;color:blue'>else</span><o:p></o:p></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.5pt;font-family:Consolas'> {</span><o:p></o:p></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.5pt;font-family:Consolas'> </span><span style='font-size:9.5pt;font-family:Consolas;color:#880000'>SSL_clear</span><span style='font-size:9.5pt;font-family:Consolas'>(</span><span style='font-size:9.5pt;font-family:Consolas;color:navy'>sessionSSL</span><span style='font-size:9.5pt;font-family:Consolas'>);</span><o:p></o:p></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.5pt;font-family:Consolas'> }</span><o:p></o:p></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:9.5pt;font-family:Consolas'> </span><o:p></o:p></p><p class=MsoNormal>Questions:<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Do I also need to do a closesocket() (equivalent to UNIX close()) on the Windows socket?<o:p></o:p></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Does anyone want to critique the above logic in any other way?<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>The code basically “works” but I see evidence that a Windows TCP session is still open following an SSL error.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Thanks,<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><i>Charles Mills</i><br><br><br><o:p></o:p></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p> </o:p></span></p></blockquote><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>Are you sure you want to use SSL_clear() in the first place? It retains the session's settings which is only useful if the *exact* same peer is going to reconnect on the same SSL object. If a *different* peer connects there's a decent shot that the connection will fail.<o:p></o:p></span></p><p>You also likely want to call SSL_shutdown(connection) again IF the first call returns zero; the first one sends a notification and if the other end hasn't closed yet returns zero. The second waits for a termination, either normal notification or abnormal, from the other end.<o:p></o:p></p><p> if (!SSL_shutdown(connection)) {<br> SSL_shutdown(connection)<br> }<o:p></o:p></p><p>The underlying handle is still open at the OS level after this, so on Unix anyway you want to notify the OS that the socket is invalid for further I/O and then close it.<o:p></o:p></p><p>Code snippet (took_error is a flag that says "this connection is no longer needed", it's could be either an error in the higher level code or a "we're all done, let this connection go" indication):<o:p></o:p></p><p> if (slave_socket[x].took_error) {<br> slave_socket[x].connected = 0; /* Connection is void */<br> if (slave_socket[x].ssl_fd != NULL) { /* If there's a valid SSL connection */<br> if (!SSL_shutdown(slave_socket[x].ssl_fd)) {<br> SSL_shutdown(slave_socket[x].ssl_fd);<br> }<br> SSL_free(slave_socket[x].ssl_fd);<br> slave_socket[x].ssl = 0; /* We are not in SSL mode */<br> }<br> shutdown(slave_socket[x].fd, SHUT_RDWR);<br> close(slave_socket[x].fd);<o:p></o:p></p><p> ..... Clean up the rest of the things you need to do when the connection ends<o:p></o:p></p><p>Since the next connection may come from a different peer I do not use SSL_clear but rather SSL_free.<o:p></o:p></p><p>The call to shutdown() tells the OS to send any data queued on the socket, wait for an ACK and then send FIN.<o:p></o:p></p><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>-- <br>Karl Denninger<br><a href="mailto:karl@denninger.net">karl@denninger.net</a><br><i>The Market Ticker</i><br></span><i><span style='font-size:7.5pt;font-family:"Times New Roman","serif"'>[S/MIME encrypted email preferred]</span></i><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'> <o:p></o:p></span></p></div></div></body></html>