> On Mar 26, 2015, at 1:18 PM, [email protected] wrote:
>
[snip]
> ----------------------------------------------------------------------
> diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
> index 3d58072..a1988f2 100644
> --- a/iocore/net/SSLNetVConnection.cc
> +++ b/iocore/net/SSLNetVConnection.cc
> @@ -762,6 +762,43 @@ SSLNetVConnection::SSLNetVConnection()
> {
> }
>
> +void
> +SSLNetVConnection::do_io_close(int lerrno)
> +{
> + if (this->ssl != NULL && sslHandShakeComplete) {
> + int new_shutdown_mode = 0, shutdown_mode = 0;
> + if (this->lerrno < 0) {
Why do you look at VConnection::lerrno instead of the lerrno argument?
> + new_shutdown_mode = SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN;
> + } else {
> + shutdown_mode = SSL_get_shutdown(ssl);
> + Debug("ssl-shutdown", "previous shutdown state 0x%x", shutdown_mode);
> + new_shutdown_mode = shutdown_mode | SSL_RECEIVED_SHUTDOWN;
> + }
> + if (new_shutdown_mode != shutdown_mode) {
> + // We do not need to sit around and wait for the client's close-notify
> if
> + // they have not already sent it. We will still be standards compliant
> + Debug("ssl-shutdown", "new SSL_set_shutdown 0x%x", new_shutdown_mode);
> + SSL_set_shutdown(ssl, new_shutdown_mode);
> + }
> +
> + // If the peer has already sent a FIN, don't bother with the shutdown
> + // They will just send us a RST for our troubles
> + // This test is not foolproof. The client's fin could be on the wire
> + // at the same time we send the close-notify. If so, the client will
> likely
> + // send RST anyway
> + char c;
> + ssize_t x = recv(this->con.fd, &c, 1, MSG_PEEK);
> + // x < 0 means error. x == 0 means fin sent
> + if (x != 0) {
> + // Send the close-notify
> + int ret = SSL_shutdown(ssl);
> + Debug("ssl-shutdown", "SSL_shutdown %s", (ret)?"success":"failed");
> + }
> + }
> + // Go on and do the unix socket cleanups
> + super::do_io_close(lerrno);
> +}
> +
> void
> SSLNetVConnection::free(EThread *t)
> {
> @@ -780,8 +817,6 @@ SSLNetVConnection::free(EThread *t)
> closed = 0;
> ink_assert(con.fd == NO_FD);
> if (ssl != NULL) {
> - /*if (sslHandShakeComplete)
> - SSL_set_shutdown(ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); */
> SSL_free(ssl);
> ssl = NULL;
> }
>
> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/03734d05/iocore/net/SSLUtils.cc
> ----------------------------------------------------------------------
> diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
> index b813aee..75a44a7 100644
> --- a/iocore/net/SSLUtils.cc
> +++ b/iocore/net/SSLUtils.cc
> @@ -1238,8 +1238,6 @@ SSLInitServerContext(const SSLConfigParams *params,
> const ssl_user_config &sslMu
> SSL_CTX_set_options(ctx, SSL_OP_SAFARI_ECDHE_ECDSA_BUG);
> #endif
>
> - SSL_CTX_set_quiet_shutdown(ctx, 1);
> -
> // pass phrase dialog configuration
> passphrase_cb_userdata ud(params, sslMultCertSettings.dialog,
> sslMultCertSettings.first_cert, sslMultCertSettings.key);
>
>
