On Tuesday, 19 December 2017 20:44:33 CET Martin Thomson wrote:
> See SSL_AlertReceivedCallback().

though do note that TCP does not reliably deliver data after one side has 
closed connection and behaviour of different implementations varies widely 
(both on TCP and TLS level):
https://blog.netherlabs.nl/articles/2009/01/18/the-ultimate-so_linger-page-or-why-is-my-tcp-not-reliable

> On 20 Dec. 2017 6:22 am, "Johann 'Myrkraverk' Oskarsson"
> 
> <johann@myrkraverk.invalid> wrote:
> > Hi,
> > 
> > Is it really impossible to verify if the server sent close_notify in a
> > normal NSS client application?
> > 
> > In both cases, PR_Read() returns zero with no error messages or status
> > difference of any kind.
> > 
> > I have tentatively verified that ssl3_HandleAlert() is called with
> > AlertDescription zero == close_notify, using dtrace, when my server
> > properly terminates the connection with PR_Close().  No such probe
> > (in the client) fires if I just kill the server (naturally).
> > 
> > My problem is that in the client code *I cannot distinguish the two*
> > (with or without close_notify) in normal PR_Read() loop.  There appears
> > to be no publicly available API to retrieve the status of the
> > recvCloseNotify flag.
> > 
> > And the ssl3_HandleAlert code does not propagate the condition, instead
> > the internal error = SSL_ERROR_CLOSE_NOTIFY_ALERT variable is simply
> > ignored, and it returns with SECSuccess.
> > 
> > This is situation is current as of changeset 14194:04fc9a90997b,
> > Mon Dec 18 11:05:28 2017 +0100.
> > 
> > How is NSS client code supposed to detect proper termination by the
> > other party?
> > 
> > I would call this a serious breach of security in the NSS public API.
> > 
> > 
> > --
> > Johann | email: invalid -> com | www.myrkraverk.com/blog/
> > I'm not from the Internet, I just work there. | twitter: @myrkraverk
> > --
> > dev-tech-crypto mailing list
> > dev-tech-crypto@lists.mozilla.org
> > https://lists.mozilla.org/listinfo/dev-tech-crypto


-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purky┼łova 115, 612 00  Brno, Czech Republic

Attachment: signature.asc
Description: This is a digitally signed message part.

-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to