On 1/10/2019 17:07, Charles Mills wrote:
>
> On Windows, for a new session, I am issuing a Windows accept()
> followed by SSL_new(), SSL_set_fd() and so forth.
>
>
>
> When the session sees some sort of an abnormal receive condition, I am
> doing
>
>
>
> int *retCode* = SSL_get_shutdown(sessionSSL);
>
> if ( *retCode* & SSL_RECEIVED_SHUTDOWN )
>
> {
>
> SSL_shutdown(sessionSSL);
>
> }
>
> else
>
> {
>
> SSL_clear(sessionSSL);
>
> }
>
>
>
> Questions:
>
>
>
> 1. Do I also need to do a closesocket() (equivalent to UNIX
> close()) on the Windows socket?
>
> 2. Does anyone want to critique the above logic in any other way?
>
>
>
> The code basically “works” but I see evidence that a Windows TCP
> session is still open following an SSL error.
>
>
>
> Thanks,
>
>
>
> /Charles Mills/
>
>
Are you sure you want to use SSL_clear() in the first place? It retains
the session's settings which is only useful if the *exact* same peer is
going to reconnect on the same SSL object. If a *different* peer
connects there's a decent shot that the connection will fail.
You also likely want to call SSL_shutdown(connection) again IF the first
call returns zero; the first one sends a notification and if the other
end hasn't closed yet returns zero. The second waits for a termination,
either normal notification or abnormal, from the other end.
if (!SSL_shutdown(connection)) {
SSL_shutdown(connection)
}
The underlying handle is still open at the OS level after this, so on
Unix anyway you want to notify the OS that the socket is invalid for
further I/O and then close it.
Code snippet (took_error is a flag that says "this connection is no
longer needed", it's could be either an error in the higher level code
or a "we're all done, let this connection go" indication):
if (slave_socket[x].took_error) {
slave_socket[x].connected = 0; /* Connection is void */
if (slave_socket[x].ssl_fd != NULL) { /* If there's
a valid SSL connection */
if (!SSL_shutdown(slave_socket[x].ssl_fd)) {
SSL_shutdown(slave_socket[x].ssl_fd);
}
SSL_free(slave_socket[x].ssl_fd);
slave_socket[x].ssl = 0; /* We are not in SSL
mode */
}
shutdown(slave_socket[x].fd, SHUT_RDWR);
close(slave_socket[x].fd);
..... Clean up the rest of the things you need to do
when the connection ends
Since the next connection may come from a different peer I do not use
SSL_clear but rather SSL_free.
The call to shutdown() tells the OS to send any data queued on the
socket, wait for an ACK and then send FIN.
--
Karl Denninger
k...@denninger.net <mailto:k...@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
