> I want to repeat: it's also OK by me if the documentation *explicitly* > says somewhere > > "SSL can not operate half-duplex like TCP can. SSL_read()==0 means > the connection is truly dead. You should not do SSL_write() anymore, > and you can not use the results of SSL_want*() anymore for poll()."
SSL_read says: "The read operation was not successful. The reason may either be a clean shutdown due to a ``close notify'' alert sent by the peer (in which case the SSL_RECEIVED_SHUTDOWN flag in the ssl shutdown state is set (see SSL_shutdown(3), SSL_set_shutdown(3)). It is also possible, that the peer simply shut down the underlying transport and the shutdown is incomplete. Call SSL_get_error() with the return value ret to find out, whether an error occurred or the connection was shut down cleanly (SSL_ERROR_ZERO_RETURN)." And SSL_shutdown makes it clear that once a shutdown has been initiated, the only thing that can happen is for the other side to acknowledge the shutdown. The page explicitly says that the connection is closed once the shutdown flag is set. For example, "A ``close notify'' shutdown alert was sent to the peer, the connection is being considered closed and the session is closed and correct." " When the application is the first party to send the "close notify" alert, SSL_shutdown() will only send the alert and then set the SSL_SENT_SHUTDOWN flag (so that the session is considered good and will be kept in cache). SSL_shutdown() will then return with 0. If a unidirectional shutdown is enough (the underlying connection shall be closed anyway), this first call to SSL_shutdown() is sufficient. In order to complete the bidirectional shutdown handshake, SSL_shutdown() must be called again. The second call will make SSL_shutdown() wait for the peer's "close notify" shutdown alert. On success, the second call to SSL_shutdown() will return with 1." I think it's perfectly clear that a zero from SSL_read means that a shutdown has been initiated and that once a shutdown has been initiated, the connection is dead. Anyone who doesn't know that a half-duplex SSL connection is impossible doesn't know enough about SSL to have a prayer of using OpenSSL correctly. (In fact, I have seen examples of precisely this type of misunderstanding causing all kinds of problems when the peer decides to trigger a renegotiation.) DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
