AFAIK, if a close notify is not sent, the the ssl connection termination is considered premature and the session cannot be reused. The specification does not define it as a MUST, rather it is defined as a SHOULD. If session reuse is not a necessary criteria (if your willing to compromise performance) then server need not send the close notify.
Thanks --Gayathri Hi, If I understand it correctly the close_notify alert is only there to prevent a truncation attack. If your higher level protocol can check that all expected data is present then it is OK just to close the socket. To be safe it would be better to call SSL_shutdown() in the client when it is complete. In the server you can call SSL_get_shutdown() when you expect the client may disconnect. In the server it should be fine to call SSL_shutdown() anyway. I don't think the SSL specification defines whether the server must send a close_notify. I hope this helps, Mark. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
