[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

Matt Caswell matt at openssl.org
Fri Sep 8 12:24:28 UTC 2017

The branch OpenSSL_1_1_0-stable has been updated
       via  389058f8a02641edc1847f84237efe757f836d03 (commit)
      from  4ea5f53d7c6364d3d91539258d8aeb6e9a2e4c93 (commit)

- Log -----------------------------------------------------------------
commit 389058f8a02641edc1847f84237efe757f836d03
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Sep 4 11:20:27 2017 +0100

    Allow an endpoint to read the alert data before closing the socket
    If an alert gets sent and then we close the connection immediately with
    data still in the input buffer then a TCP-RST gets sent. Some OSs
    immediately abandon data in their input buffer if a TCP-RST is received -
    meaning the alert data itself gets ditched. Sending a TCP-FIN before the
    TCP-RST seems to avoid this.
    This was causing test failures in MSYS2 builds.
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Ben Kaduk <kaduk at mit.edu>
    (Merged from https://github.com/openssl/openssl/pull/4333)
    (cherry picked from commit bac6abe18d28373e0d2d0666c411020404197337)


Summary of changes:
 apps/s_socket.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/apps/s_socket.c b/apps/s_socket.c
index 7f01112..2af1b4b 100644
--- a/apps/s_socket.c
+++ b/apps/s_socket.c
@@ -178,6 +178,23 @@ int do_server(int *accept_sock, const char *host, const char *port,
             i = (*cb)(sock, type, context);
+            /*
+             * If we ended with an alert being sent, but still with data in the
+             * network buffer to be read, then calling BIO_closesocket() will
+             * result in a TCP-RST being sent. On some platforms (notably
+             * Windows) then this will result in the peer immediately abandoning
+             * the connection including any buffered alert data before it has
+             * had a chance to be read. Shutting down the sending side first,
+             * and then closing the socket sends TCP-FIN first followed by
+             * TCP-RST. This seems to allow the peer to read the alert data.
+             */
+#ifdef _WIN32
+# ifdef SD_SEND
+            shutdown(sock, SD_SEND);
+# endif
+#elif defined(SHUT_WR)
+            shutdown(sock, SHUT_WR);
         } else {
             i = (*cb)(asock, type, context);

More information about the openssl-commits mailing list