[openssl-users] Shutdown details

Alex H alexhultman at gmail.com
Wed Aug 1 19:46:37 UTC 2018


[...] The other party MUST respond with a close_notify alert of its own and
close down the connection immediately, *discarding any pending writes*.

I've read this before, but I've also checked the sources of SSL_write and
they seem contradictory:

SSL_write does not return with error when SSL_RECEIVED_SHUTDOWN is set, but
does so when SSL_SENT_SHUTDOWN is set. Why is this? A minor bug? If the RFC
states the end who receives a close_notify should *discard any pending
writes* then it surely seems a bug to allow SSL_write for a connection
where SSL_RECEIVED_SHUTDOWN is set?

....

> If your question is whether you can still read any data that may have
been in flight when you send your close_notify, I believe the answer
is no.  Further data received from the peer is discarded after a
close_notify is sent.

I also believe so, especially since SSL_shutdown docs seem to hint that
once SSL_shutdown is called, it should be called again until fully done
(serving SSL_WANT_READ/WRITE as needed). In other words, SSL_shutdown
becomes the only function called until the SSL connection is fully closed,
no more SSL_read is called and thus it cannot report any received data.
SSL_shutdown does not return with any data.

Regarding the SSL_RECEIVED_SHUTDOWN - do you think this is a minor bug?

Den ons 1 aug. 2018 kl 21:16 skrev Viktor Dukhovni <
openssl-users at dukhovni.org>:

>
>
> > On Aug 1, 2018, at 2:27 AM, Alex H <alexhultman at gmail.com> wrote:
> >
> > Is it possible to receive data after calling SSL_shutdown? Reading the
> specs and docs leaves this rather blurry.
>
> TLS *does not* support half-closed connections (RFC5246):
>
>    close_notify
>       This message notifies the recipient that the sender will not send
>       any more messages on this connection.  Note that as of TLS 1.1,
>       failure to properly close a connection no longer requires that a
>       session not be resumed.  This is a change from TLS 1.0 to conform
>       with widespread implementation practice.
>
>    Either party may initiate a close by sending a close_notify alert.
>    Any data received after a closure alert is ignored.
>
>    Unless some other fatal alert has been transmitted, each party is
>    required to send a close_notify alert before closing the write side
>    of the connection.  The other party MUST respond with a close_notify
>    alert of its own and close down the connection immediately,
>    discarding any pending writes.  It is not required for the initiator
>    of the close to wait for the responding close_notify alert before
>    closing the read side of the connection.
>
>    If the application protocol using TLS provides that any data may be
>    carried over the underlying transport after the TLS connection is
>    closed, the TLS implementation must receive the responding
>    close_notify alert before indicating to the application layer that
>    the TLS connection has ended.  If the application protocol will not
>    transfer any additional data, but will only close the underlying
>    transport connection, then the implementation MAY choose to close the
>    transport without waiting for the responding close_notify.  No part
>    of this standard should be taken to dictate the manner in which a
>    usage profile for TLS manages its data transport, including when
>    connections are opened or closed.
>
>    Note: It is assumed that closing a connection reliably delivers
>    pending data before destroying the transport.
>
> If your question is whether you can still read any data that may have
> been in flight when you send your close_notify, I believe the answer
> is no.  Further data received from the peer is discarded after a
> close_notify is sent.
>
> --
>         Viktor.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180801/201e6c5b/attachment.html>


More information about the openssl-users mailing list