Re: [openssl-users] What is the best practise for shutdown SSL connections?

Sun, 01 Feb 2015 23:26:02 -0800 

Hi, Viktor.

02.02.2015, 02:08, "Viktor Dukhovni" <openssl-us...@dukhovni.org>:
> On Mon, Feb 02, 2015 at 01:32:42AM +0300, Serj wrote:
>>  But what about the best practice for shutdown of connection on the client 
>> side?
>
>     http://tools.ietf.org/html/rfc5246#section-7.2.1

I read RFC. Have read "7.2.1. Closure Alerts" once again.
But this is the normative document. I ask: what in practise in terms of OpenSSL 
API?

As I already said some servers don't send "close_notify" and just close the 
connection.

So I think the shutdown algorithm for SSL client must be the following:
-------------------------------------------------------------------------
//...
//all data was obtained from the server

if (SSL_shutdown(ssl)==1)
{
  closesocket(s)
  goto l_shutdown_complete;
}

shutdown(s,SD_SEND);

//set timeout for getting "close_notify" from SERVER
//in the cycle... waiting events from socket or timeout (which comes first):
//
//1. process SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE (in this case only 
SSL_ERROR_WANT_READ because seems to be SSL_shutdown() send "close_notify" 
alert to SERVER), call SSL_shutdown() once again and examine it's return value 
for 1 OR examine SSL_get_shutdown() for 
(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)
//
//2. Wait FD_CLOSE
//
//3. Timeout

//if one of three happens closesocket(s)
-------------------------------------------------------------------------



>>  And what about the best practice for shutdown of connection on the server
>>  side? Is it mandatory to wait "close_notify" from client to be able to
>>  save valid session for this client or not? If server close the connection
>>  after all data has been sent to the client and don't receive "close_notify",
>>  will be the session kept?
>
>     http://tools.ietf.org/html/rfc5246#section-7.2.1

I ask: what in practise in terms of OpenSSL API?
If SERVER close the connection after all data has been sent to the client and 
will not wait for "close_notify" alert from CLIENT, will be the session kept 
and valid in OpenSLL API?
I mean, can CLIENT then reuse this session, if it doesn't send "close_notify" 
alert? Or this session will be invalid?

--
Best Regards,

Serj
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to