On Mon, Jul 23, 2001 at 02:18:37PM +0200, Martin Sjögren wrote:
> This is the mail I sent last Friday that didn't seem to reach the list.
>
> Since then I've made progress. Apparently the SSL_shutdown() function
> cannot return -1! From reading the source I'd say it can only return 1 or
> 0. 1 if everything is completed and 0 otherwise, there are no error codes
> involved at all. Am I right?
>
> In any case my man page seems to be wrong.
Yes. It is wrong. We had a discussion about this topic some weeks ago
on this list. When I wrote manual page my analysis of the source was
not correct (I did not write a test program).
The manual page more or less states how the behaviour should be :-)
> ----- Forwarded message from martin -----
>
> To: [EMAIL PROTECTED]
> Subject: SSL_shutdown() woes
>
> Okay, bear with me here, because I'm writing an OpenSSL module for Python
> and writing example (test) programs in Python that use it, so I'm not
> quite sure where the problem is here...
>
> In the OpenSSL module I've matched the SSL_ERROR_* with Python exceptions,
> thus ZERO_RETURN raises an exception that has to be caught (;)) but I'm
> having troubles here...
>
> On my client side I'm sending a shutdown message, the servers thus gets a
> ZeroReturnError and sends a shutdown, a close and then quits.
>
> Trouble is, what SSL_shutdown seems to return on the client side, is 0,
> and SSL_get_error says SYSCALL, but the error stack is empty, there is no
> errno set... What's happening?
The side sending the shutdown alert first will not care about the answer of
the peer but will immediately return with a return value of "0"
(ssl/s3_lib.c:ssl3_shutdown()). SSL_get_error will evaluate the value of "0"
and as the shutdown alert of the peer was not received (actually, the
program did not even wait for the answer), an SSL_ERROR_SYSCALL is flagged,
because this is the default rule in case everything else does not apply.
For your server the problem is different, because it receives the shutdown
first (setting SSL_RECEIVED_SHUTDOWN), then sends its response
(SSL_SENT_SHUTDOWN), so for the server the shutdown was successfull.
As is by know, you would have to call SSL_shutdown() once and ignore
an SSL_ERROR_SYSCALL returned. Then call SSL_shutdown() again to actually
get the server's response...
In the last discussion, Bodo Moeller concluded that a rewrite of the
shutdown code would be necessary, but probably with another API, as
the change would not be compatible to the way it is now.
Things do not become easier as other programs do not follow the shutdown
guidelines anyway, so that a lot error conditions and compitibility issues
would have to be caught.
For now the recommondation is to ignore the error message...
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
