On Thu, Apr 15, 1999 at 11:53:01AM +0200, Stefan Pedersen wrote:
> On Thu, 15 Apr 1999, Bodo Moeller wrote:
> > Stefan Pedersen <[EMAIL PROTECTED]>:
>>> if(retval == 0)
>>> otherSideClosedConnection();
> > Not quite. If retval == 0, you still have to call SSL_get_error if
> > you want to verify that it was really the other side that closed the
> > connection. Think of HTTP messages with indefinite length, for
> > example: If you're at the client side, you sure want to know where the
> > file really ends.
> Ok... NOW I'm confused. SSL_read returning 0 and connection not
> closed by peer?
> This would break the traditional unix like behaviour. Could you
> please explain what you mean?
Sure. The point is that you want cryptographic authentication for the
fact that the TCP close was initiated by the other SSL end-point.
That's what the closure alert is for. The corresponding code in
SSL_get_error (ssl_lib.c) is as follows:
if (i == 0)
{
if (s->version == SSL2_VERSION)
{
/* assume it is the socket being closed */
return(SSL_ERROR_ZERO_RETURN);
}
else
{
if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) &&
(s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY))
return(SSL_ERROR_ZERO_RETURN);
}
}
return(SSL_ERROR_SYSCALL);
If you get SSL_ERROR_SYSCALL, you cannot continue using the
connection, but it wasn't a clean close. Only if you get
SSL_ERROR_ZERO_RETURN (and don't use SSL 2) you know that the
connection was cleanly terminated. Otherwise, it could be an attacker
who, for example, tries to trim the last lines from the output
of https://somehost/cgi-bin/somescript.pl.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
