YUN GAO wrote:
Hi there:
SSL_shutdown used to have a problem that in some instances it always
returns 0 no matter how many time it is called before 0.9.8l.
To solve the issue, I have to call SSL_shutdown() twice and check the
error number and return code at the second time: if the return code
is 0 and the error number from SSL_get_error() is not
SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE, SSL_shutdown()
is confirmed.
I found this has been solved in 1.0.1b, SSL_shutdown() always return
-1 if the SSL connection has been closed already, and the error number
now becomes SSL_ERROR_SYSCALL and the second time calling SSL_shutdow().
I looked at the ChangeLog, and found a SSL_shutdown() fix in 0.9.8m, I
wonder if this is the one that contributes to the different behavoir
as I describd
above.

Sorry for late reply to old post. I just did a search on topic to notice your unreply posting.


Yes indeed it does.  Please search mailing list for full information.
Some small code was provided on mailing-list that could be cut and pasted to provide same compatibility of previous behaviour but using new API, also this code is backwards compatible meaning it could be added to your application today and it would not matter if you were using OpenSSL version at runtime from before the change (such as 0.9.7) or after the change (such as 1.0.0).

Think of the new behaviour as providing/exposing additional information that was previously hidden.


Previously it was not possible to detect with certainty flow control and lack of data issues during SSL shutdown.

Before 0.9.8m (or whatever version it was changed, I take your word for it) the return value of 0 could mean any of the 3 new states:

-1/WANT_WRITE
0 (this has same meaning as -1/WANT_READ and it return for compatibility with API, but the 0 is only visible once to provide that compatibilty)
-1/WANT_READ


The return value of 1 has the same meaning in the previous behaviour and current behaviour of the SSL_shutdown() API.


When you refer to version 1.0.1b are you talking about a patch in that version, or is this the version you happened to be testing with ?

All versions since 0.9.8m (if that is the correct version) should detect a close of lower level transport (i.e. socket) with the usual -1/SSL_ERROR_SYSCALL or -1/SSL_ZERO_RETURN as you would also expect to see from SSL_read() usage.


Darryl

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to