[openssl-users] What is the best practise for shutdown SSL connections?

Serj rasjv at yandex.com
Sun Feb 1 20:36:20 UTC 2015 

Hello,

What is the best practise for shutdown SSL connections? When client and server both not mine. For example, http client or server.

I have read:
https://www.openssl.org/docs/ssl/SSL_shutdown.html
https://www.openssl.org/docs/ssl/SSL_set_shutdown.html

I use non-blocking sockets and create sockets manually, then with BIO_new_socket()   and SSL_set_bio() associate them with SSL object.

I have 3 themes and corresponding questions:

1. Return values for SSL_shutdown() 
I never get 2 as a return value! Only 1 as successful then SSL_SENT_SHUTDOWN and SSL_RECEIVED_SHUTDOWN are both set. Maybe something wrong at the documentation?


2. What is the best practise for shutdown SSL connections for CLIENT?

As I understand unidirectional shutdown for client is more suitable, doesn't require special work for waiting "close_notify". But we must be sure that server got a "close_notify" - this is the question! So, the code for CLIENT:
------------------------------------------------
//all data were obtained from the server

SSL_shutdown(ssl);

//here we must be sure that "close_notify" alert is gotten by server
//...

closesocket(s);
------------------------------------------------

How to do this check: server got the "close_notify" alert? What is the best practise?
I see that SSL_get_shutdown() returns SSL_SENT_SHUTDOWN immediatly after we  have called SSL_shutdown() first time, so it only sets the flag after sending "close_notify" but doesn't wait.


3. What is the best practise for shutdown SSL connections for SERVER?
As I understand SERVER must get "close_notify" from client otherwise it will not be able to save a session, am i right? And the session will be invalid in this case.

So, for server the code is:
------------------------------------------------
//all data has been sent to the client

SSL_shutdown(ssl); //will not be superfluous

//here we must wait a "close_notify" alert from client
//we can do this by examine flag SSL_RECEIVED_SHUTDOWN with SSL_get_shutdown()
//...

//and only after this we can safely close the connection
closesocket(s);
------------------------------------------------


I will be very glad if these 3 themes and corresponding questions will not go unanswered!

--
Best Regards,

Serj

More information about the openssl-users mailing list