Hi, Is it really impossible to verify if the server sent close_notify in a normal NSS client application?
In both cases, PR_Read() returns zero with no error messages or status difference of any kind. I have tentatively verified that ssl3_HandleAlert() is called with AlertDescription zero == close_notify, using dtrace, when my server properly terminates the connection with PR_Close(). No such probe (in the client) fires if I just kill the server (naturally). My problem is that in the client code *I cannot distinguish the two* (with or without close_notify) in normal PR_Read() loop. There appears to be no publicly available API to retrieve the status of the recvCloseNotify flag. And the ssl3_HandleAlert code does not propagate the condition, instead the internal error = SSL_ERROR_CLOSE_NOTIFY_ALERT variable is simply ignored, and it returns with SECSuccess. This is situation is current as of changeset 14194:04fc9a90997b, Mon Dec 18 11:05:28 2017 +0100. How is NSS client code supposed to detect proper termination by the other party? I would call this a serious breach of security in the NSS public API. -- Johann | email: invalid -> com | www.myrkraverk.com/blog/ I'm not from the Internet, I just work there. | twitter: @myrkraverk -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
