Re: Missing close_notify alert (was: Session reuse doesn't always work)

Wed, 3 Mar 1999 09:32:28 -0500 

On Wed, Mar 03, 1999, Mats Josefsson wrote:

> > Can you give me an URL of a Netscape server where I can look at the responses
> > of such a beast in contrast to Apache+mod_ssl? Or at least show me the
> > difference between a connect with ``s_client -state -debug'' to both the
> > Apache+mod_ssl and the Netscape server.
> 
> I'm behind a firewall, so you can't connect. But here are the state
> logs:
> 
> Netscape (3.5.1G):
>[...]
> SSL_connect:SSLv3 read finished A
> SSL3 alert read:warning:close notify
> SSL3 alert write:warning:close notify
> 
> Apache+mod_ssl
>[...]
> SSL_connect:SSLv3 read finished A
> read:errno=0
> SSL3 alert write:warning:close notify
> > change
> >      SSL_set_shutdown(ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
> > to
> >      SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
> > 
> > and try again. Then the close notify should be really sent.
> > Please give me feedback about your results...
> 
> I tried the change, but it didn't make a difference.

Yes, because the topic is a very important one I've immediately investigated a
few hours and after fiddling around debugging s_client and Apache+mod_ssl I
now know why the above suggested change makes no differnence: It's Apache's
fault! The Apache kernel functions close the socket _before_ the cleanup
functions (the above code is inside such a function) are run.  

That's usually no problem for other modules which do not speak theirself on
the socket. For mod_ssl it's a _BIG_ problem. The only solution is to extend
the module structures via EAPI and explicity provide a close_connection hook
which is used _before_ the socket is dropped. I've now suspended the proposed
vendor hooks (sorry, Mark!) a little bit and will try to provide a solution
for this alert problem first for 2.2.4. A test patch is coming in one hour or
two.
                                       Ralf S. Engelschall
                                       [EMAIL PROTECTED]
                                       www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List               [EMAIL PROTECTED]
Automated List Manager                       [EMAIL PROTECTED]

Reply via email to