On Fri, May 21, 1999 at 09:08:52AM +0200, Ralf S. Engelschall wrote:
>> What exactly does Apache with mod_ssl do when shutting down an SSL
>> connection (in the default case)? Does it send its close_notify alert
>> and then send a FIN -- i.e. shutdown(..., SHUT_WR) -- so that the
>> browser still can write TCP data, or does it send the close_notify
>> alert and then immediately perform a (half-duplex) close(...)?
> ^^^^ half? you mean full, right?
Maybe I *mean* "full-duplex", but I did intend to write "half-duplex" :-)
That's the term used in RFC 1122; it looks just as strange to me as it
does to you, but as the standard uses that terminology ...
> In the default case mod_ssl does approximately the following (it's a lot more
> complex, because parts of this are done by mod_ssl, parts of this by the
> Apache kernel and what the Apache kernel actually does depends on [...]
That's why I ask -- otherwise I'd just look at the source :-)
> SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
> SSL_smart_shutdown(ssl);
> SSL_free(ssl);
> ap_bsetflag(fb, B_EOUT, 1);
> [ shutdown(fb->fd, SHUT_WR); ]
> ap_bclose(fb);
>
> The first three are still inside mod_ssl (ssl is an SSL*), the ap_xx() inside
> the Apache kernel (fb is a BUFF* corresponding to a fd). The shutdown() is
> done not always by Apache (depends on platform and whether lingering close
> should be done).
>
> On FreeBSD where the lingering close with shutdown() is done I've never
> observed any problems (my testserver was also a FreeBSD box). When I
> understand you correctly, the problem can be those platforms where Apache
> doesn't do the lingering close, right?
Could be, yes. Netscape does not recognize the shutdown until the TCP
connection is closed (i.e. a FIN arrives -- I think the actual
close_notify is just ignored), and it checks for this only when it
wants to reuse the open connection -- if IE behaves like that, but
additionally tries to send its own close_notify when this happens,
then it cannot work, because it will get a RST if the server has
totally closesd the connection by then. So there's the I/O error.
What those browsers should do, of course, is select() for readability
on all their open connections even while they are not used, so that
they can detect a FIN and, in the SSL/TLS case, incoming alerts and
the like at once. Maybe IE does that, but needs the FIN after the
server's close_notify -- then everything should work fine with servers
that use shutdown(..., 1), but not with those that just use
close(...).
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
