[openssl-users] Cancelling handshake in the middle

Michael Kravchenko mkrav at yahoo-inc.com
Sun Apr 3 09:15:24 UTC 2016

I have a client application that works with non-blocking BIO. The handshake loop looks, very roughly, like this:
  1. call SSL_connect()  2. if the return value is -1 and SSL_get_error() returns WANT_READ or WANT_WRITE, perform the relevant select() call  3. go to 1 and repeat until SSL_connect() returns 1
Let's say, I want to add an option of breaking this loop early due to some external cause, e.g. - the client application is closing. In this case, I'd like to let the server know that my client is exiting and will not be finishing the handshake process. What would be the proper API call to indicate this to the server? SSL_shutdown is not an option.
For TLS over TCP, closing the underlying TCP socket would probably do the trick, but in the case of DTLS over UDP (or other connection-less protocols) it would be better if the server received an alert message. If the DTLS client just exits silently in the middle of the handshake, the server will perform a series of timeouts/retransmissions as required by the DTLS standard, which can potentially take up to several minutes. This is why I am looking for an OpenSSL API call that could be used in the middle of handshake and would result in an alert message.
Hope this was more clear.

    On Sunday, April 3, 2016 11:17 AM, Otis Evans <otisevans98 at gmail.com> wrote:

 Explain moreOn Apr 3, 2016 2:59 AM, "Michael Kravchenko" <mkrav at yahoo-inc.com> wrote:


(My question is regarding a problem I discovered while developing a DTLS client, but I'm not sure that it's specific to DTLS) 

What is the proper way to cancel a handshake process in the middle? I have a client working with non-blocking BIO, which performs a series of SSL_connect() calls to establish connection to the server. Let's say that during the handshake process, the client, for some reason, decides to abort it. Ideally, I'd like the server to receive an alert message indicating that the client will not be finishing the handshake. 

SSL_shutdown() cannot be used here, since it works only after the handshake. 

I cannot find any public API call that could be used in this situation. ssl3_send_alert() is not a public API call. 

Any ideas on what would be the best way to proceed in this situation? 


openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160403/6a4ddf1d/attachment-0001.html>

More information about the openssl-users mailing list