[openssl-users] What is the best practise for shutdown SSL connections?

Serj rasjv at yandex.com
Sun Feb 1 21:28:12 UTC 2015 

Hi, Viktor.


01.02.2015, 23:50, "Viktor Dukhovni" <openssl-users at dukhovni.org>:
> On Sun, Feb 01, 2015 at 11:36:20PM +0300, Serj wrote:
>>  1. Return values for SSL_shutdown()
>
>     0  initially if shutdown alert sent, but not yet received from
>        the peer.
>>  I never get 2 as a return value!
>
> Why do you expect "2"?  [ Note, something is screwing up itemized
> lists in the on-line documentation.  Instead of showing item labels,
> item numbers are showing up instead. ] 

Here: https://www.openssl.org/docs/ssl/SSL_shutdown.html I see only this:
-----------------------------------------------------
RETURN VALUES

The following return values can occur:

 1.  The shutdown is not yet finished. Call SSL_shutdown() for a second time, if a bidirectional shutdown shall be performed. The output of SSL_get_error may be misleading, as an erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred.

 2.  The shutdown was successfully completed. The "close notify" alert was sent and the peer's "close notify" alert was received.

    <0

        The shutdown was not successful because a fatal error occurred either at the protocol level or a connection failure occurred. It can also occur if action is need to continue the operation for non-blocking BIOs. Call SSL_get_error with the return value ret to find out the reason.
-----------------------------------------------------


> The nroff manpage says:
>     RETURN VALUES
>        The following return values can occur:
>
>        0   The shutdown is not yet finished. Call SSL_shutdown() for a second time, if a bidirectional
>            shutdown shall be performed.  The output of SSL_get_error(3) may be misleading, as an erroneous
>            SSL_ERROR_SYSCALL may be flagged even though no error occurred.
>
>        1   The shutdown was successfully completed. The "close notify" alert was sent and the peer's "close
>            notify" alert was received.
>
>        -1  The shutdown was not successful because a fatal error occurred either at the protocol level or a
>            connection failure occurred. It can also occur if action is need to continue the operation for
>            non-blocking BIOs.  Call SSL_get_error(3) with the return value ret to find out the reason.


Seems to be this is right.
This is exactly what I wanted to see here:  https://www.openssl.org/docs/ssl/SSL_shutdown.html


>>  2. What is the best practise for shutdown SSL connections for CLIENT?
>
> Call ssl_shutdown() and if it returns 0, call it again processing
> WANT_READ/WANT_WRITE as required.

I use non-blocking sockets. That's why I got -1 as return value after first ssl_shutdown().
I process WANT_READ/WANT_WRITE. But some servers don't send "close_notify", so we never got a 1 as a return value.
We must be sure that server got a "close_notify" - this is the question! What is the best practise for that?



--
Best Regards,

Serj

More information about the openssl-users mailing list