SSL_shutdown question

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL_shutdown question

YUN GAO-2
Hi there:
SSL_shutdown used to have a problem that in some instances it always
returns 0 no matter how many time it is called before 0.9.8l.
To solve the issue, I have to call SSL_shutdown() twice and check the
error number and return code at the second time: if the return code
is 0 and the error number from SSL_get_error() is not
SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE, SSL_shutdown()
is confirmed.
I found this has been solved in 1.0.1b, SSL_shutdown() always return
-1 if the SSL connection has been closed already, and the error number
now becomes SSL_ERROR_SYSCALL and the second time calling SSL_shutdow().
I looked at the ChangeLog, and found a SSL_shutdown() fix in 0.9.8m, I
wonder if this is the one that contributes to the different behavoir
as I describd
above.
Thanks in advance,
G.Y
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SSL_shutdown question

Darryl Miles
YUN GAO wrote:

> Hi there:
> SSL_shutdown used to have a problem that in some instances it always
> returns 0 no matter how many time it is called before 0.9.8l.
> To solve the issue, I have to call SSL_shutdown() twice and check the
> error number and return code at the second time: if the return code
> is 0 and the error number from SSL_get_error() is not
> SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE, SSL_shutdown()
> is confirmed.
> I found this has been solved in 1.0.1b, SSL_shutdown() always return
> -1 if the SSL connection has been closed already, and the error number
> now becomes SSL_ERROR_SYSCALL and the second time calling SSL_shutdow().
> I looked at the ChangeLog, and found a SSL_shutdown() fix in 0.9.8m, I
> wonder if this is the one that contributes to the different behavoir
> as I describd
> above.

Sorry for late reply to old post.  I just did a search on topic to
notice your unreply posting.


Yes indeed it does.  Please search mailing list for full information.
Some small code was provided on mailing-list that could be cut and
pasted to provide same compatibility of previous behaviour but using new
API, also this code is backwards compatible meaning it could be added to
your application today and it would not matter if you were using OpenSSL
version at runtime from before the change (such as 0.9.7) or after the
change (such as 1.0.0).

Think of the new behaviour as providing/exposing additional information
that was previously hidden.


Previously it was not possible to detect with certainty flow control and
lack of data issues during SSL shutdown.

Before 0.9.8m (or whatever version it was changed, I take your word for
it) the return value of 0 could mean any of the 3 new states:

-1/WANT_WRITE
0  (this has same meaning as -1/WANT_READ and it return for
compatibility with API, but the 0 is only visible once to provide that
compatibilty)
-1/WANT_READ


The return value of 1 has the same meaning in the previous behaviour and
current behaviour of the SSL_shutdown() API.


When you refer to version 1.0.1b are you talking about a patch in that
version, or is this the version you happened to be testing with ?

All versions since 0.9.8m (if that is the correct version) should detect
a close of lower level transport (i.e. socket) with the usual
-1/SSL_ERROR_SYSCALL or -1/SSL_ZERO_RETURN as you would also expect to
see from SSL_read() usage.


Darryl

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]