[openssl-users] What is the best practise for shutdown SSL connections?

Viktor Dukhovni openssl-users at dukhovni.org
Sun Feb 1 20:48:13 UTC 2015

On Sun, Feb 01, 2015 at 11:36:20PM +0300, Serj wrote:

> 1. Return values for SSL_shutdown() 

    0  initially if shutdown alert sent, but not yet received from
       the peer.

> I never get 2 as a return value!

Why do you expect "2"?  [ Note, something is screwing up itemized
lists in the on-line documentation.  Instead of showing item labels,
item numbers are showing up instead. ]  The nroff manpage says:

       The following return values can occur:

       0   The shutdown is not yet finished. Call SSL_shutdown() for a second time, if a bidirectional
           shutdown shall be performed.  The output of SSL_get_error(3) may be misleading, as an erroneous
           SSL_ERROR_SYSCALL may be flagged even though no error occurred.

       1   The shutdown was successfully completed. The "close notify" alert was sent and the peer's "close
           notify" alert was received.

       -1  The shutdown was not successful because a fatal error occurred either at the protocol level or a
           connection failure occurred. It can also occur if action is need to continue the operation for
           non-blocking BIOs.  Call SSL_get_error(3) with the return value ret to find out the reason.

> 2. What is the best practise for shutdown SSL connections for CLIENT?

Call ssl_shutdown() and if it returns 0, call it again processing


More information about the openssl-users mailing list