Re: SSL_shutdown question

Thu, 08 Aug 2013 10:03:49 -0700 

YUN GAO wrote:

Hi there:
SSL_shutdown used to have a problem that in some instances it always
returns 0 no matter how many time it is called before 0.9.8l.
To solve the issue, I have to call SSL_shutdown() twice and check the
error number and return code at the second time: if the return code
is 0 and the error number from SSL_get_error() is not
SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE, SSL_shutdown()
is confirmed.
I found this has been solved in 1.0.1b, SSL_shutdown() always return
-1 if the SSL connection has been closed already, and the error number
now becomes SSL_ERROR_SYSCALL and the second time calling SSL_shutdow().
I looked at the ChangeLog, and found a SSL_shutdown() fix in 0.9.8m, I
wonder if this is the one that contributes to the different behavoir
as I describd
above.



Sorry for late reply to old post.  I just did a search on topic to 
notice your unreply posting.



Yes indeed it does.  Please search mailing list for full information.

Some small code was provided on mailing-list that could be cut and 
pasted to provide same compatibility of previous behaviour but using new 
API, also this code is backwards compatible meaning it could be added to 
your application today and it would not matter if you were using OpenSSL 
version at runtime from before the change (such as 0.9.7) or after the 
change (such as 1.0.0).



Think of the new behaviour as providing/exposing additional information 
that was previously hidden.




Previously it was not possible to detect with certainty flow control and 
lack of data issues during SSL shutdown.



Before 0.9.8m (or whatever version it was changed, I take your word for 
it) the return value of 0 could mean any of the 3 new states:


-1/WANT_WRITE

0  (this has same meaning as -1/WANT_READ and it return for 
compatibility with API, but the 0 is only visible once to provide that 
compatibilty)

-1/WANT_READ



The return value of 1 has the same meaning in the previous behaviour and 
current behaviour of the SSL_shutdown() API.




When you refer to version 1.0.1b are you talking about a patch in that 
version, or is this the version you happened to be testing with ?



All versions since 0.9.8m (if that is the correct version) should detect 
a close of lower level transport (i.e. socket) with the usual 
-1/SSL_ERROR_SYSCALL or -1/SSL_ZERO_RETURN as you would also expect to 
see from SSL_read() usage.



Darryl

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org














    











					Reply via email to