Re: RST after close_notify

2014-08-11 Thread Donald J. 
The server end appears to be GlobalScape EFT running on a windows
server.
I will summarize the IBM response:

When SSL is not involved, TCP will normally go through a graceful
   connection teardown sequence where one side initiates the connection 
   closure by sending out a FIN.  The other side acks that FIN and  
   sends out their own FIN...

When SSL is involved or when an application is implemented to end the
   connection with a Reset (using SOLINGER), one side can send out a FIN
   then the application immediately closes down its socket.  Then   
   anything with data comes in after that results in a Reset coming out.
   When the other side receives the Reset, their TCP immediately cleans 
   up that connection.  

Using this SSL session as an example, the remote side sends out the  
   FIN.  At this point, the application on the remote side seems to 
   have already closed down its socket.  When we receive the FIN, SSL   
   layer still needs to send out the SSL alert.  Therefore, we are not  
   sending out our FIN just yet because we're still waiting for the ack 
   for the FIN.  The remote side then sends back the ack along with the 
   Reset.  When we receive the Reset, we clean up the connection
   without any further communication. 

-- 
  Donald J.
  dona...@4email.net

On Sat, Aug 9, 2014, at 09:44 AM, Michael Wojcik wrote:
 Well, it sounds like someone needs to modify the client, then, if you
 want to use SSL/TLS.
 
 should return a FIN before RST is an oversimplification, and possibly
 incorrect, depending on what should means in this context. There is no
 simple explanation of this.
 ...
 

-- 
http://www.fastmail.fm - Faster than the air-speed velocity of an
  unladen european swallow

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RST after close_notify

2014-08-08 Thread Donald J. 
I have an issue with an FTP client issuing a DIR command to a Windows
FTP server.
A normal packet trace is shown in sequence 1 below.  An Ack Fin is
received
from the Windows FTP server and the DIR command completes successfully.

In the 2nd sequence, each side exchanges close_notify, but no Fin
flags are set.
Windows FTP server ends with an  Ack Rst.   After receiving the Reset
packet,
the FTP client issues a connection reset' message and sets an error
code.
Is that the correct thing to do?

1) Successful DIR command output being received:
IN   Ack
IN   Ack 536Bytes
IN   Ack 536B
OUT  Ack Psh
IN   Ack 536B
IN   Ack 536B
IN   Ack 536B
IN   Ack 536B
IN   Ack Psh  79B  42B  15 (close_notify alert)  
OUT  Ack Psh 
IN   Ack Fin   
OUT  Ack Psh  37B  15 (close_notify alert)
IN   Ack Rst   

2) DIR command fails with error:   
IN   Ack
IN   Ack 536B
IN   Ack 536B
OUT  Ack Psh
IN   Ack 536B
IN   Ack 536B
IN   Ack 536B
IN   Ack 536B
IN   Ack Psh  42B   
OUT  Ack Psh
IN   Ack Psh  37B  15 (close_notify alert)   
OUT  Ack Psh   
OUT  Ack Psh  37B  15 (close_notify alert)   
IN   Ack Rst

-- 
  Donald J.
  dona...@4email.net

-- 
http://www.fastmail.fm - Or how I learned to stop worrying and
  love email again

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: RST after close_notify

2014-08-08 Thread Donald J. 
The FTP client is a batch mainframe process which 
must get return code zero, or someone gets called 
in the middle of the night.  I have been working 
with IBM support which claims that the server should 
return a Fin before Rst.  So I will probably turn this 
problem over to our PC server group.  

I don't really understand why in the successful sequence, 
the client sends Ack PSh and waits to receive the 
Ack Fin before sending the close_notify.  But in the 
failing sequence the client sends Ack Psh, then 
immediately sends lose_notify without any waiting.

If the server is closing its connection after sending the 
close_notify, it probably wouldn't send the Ack Fin in 
the successful sequence?

I guess IBM is saying the server should send Ack Fin,
wait for Ack from client, and server then would  send
the AckRst?   

-- 
  Donald J.
  dona...@4email.net

On Fri, Aug 8, 2014, at 02:03 PM, Michael Wojcik wrote:
  -Original Message-
  From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
  us...@openssl.org] On Behalf Of Donald J.
  Sent: Friday, 08 August, 2014 15:34
  To: openssl-users@openssl.org
  Subject: RST after close_notify
  
  I have an issue with an FTP client issuing a DIR command to a Windows
  FTP server.
  A normal packet trace is shown in sequence 1 below.  An Ack Fin is
  received
  from the Windows FTP server and the DIR command completes successfully.
 
 Both of your traces below show an RST in the final packet, not a FIN.
 
 
  In the 2nd sequence, each side exchanges close_notify, but no Fin
  flags are set.
  Windows FTP server ends with an  Ack Rst.   After receiving the Reset
  packet,
  the FTP client issues a connection reset' message and sets an error
  code.
  Is that the correct thing to do?
 
 Are you questioning the server's behavior, or the client's?
 
 Probably what happened is the server sent its close_notify and then
 closed its end of the connection without waiting for the client's
 close_notify response. See Eric Rescorla's /SSL and TLS/ book, 8.10, for
 further discussion. This is unfriendly behavior by the server, in my
 opinion, but common enough for Rescorla to discuss it.
 
 It's also possible the server did an abortive close, which would be the
 Wrong Thing to do, but the former case is more likely. And in any event,
 your client couldn't distinguish between the two. (And what would you do
 about it anyway? If someone else's server behaves badly, you have to deal
 with it in some fashion.)
 
 How the client handles receiving a RST (generally manifests as a return
 code of -1 from send or recv, with errno set to ECONNRESET [1]; with
 OpenSSL you should get SSL_ERROR_SYSCALL and check errno) is a matter of
 taste. Often you do want to report that the connection was reset. In this
 case, though, since a reset is not unexpected AND you know you've
 received all the data from the server - you got its close_notify - it's
 better to silently ignore it.
 
 In short, the logic should be something like this:
 
   if RST-received
   if we were trying to send data
   check for a close_notify from the peer
   end-if
   if close_notify not already recevied from peer
   treat as failure
   end-if
   close socket and clean up
   end-if
 
 
 [1] This assumes the application, if it's running in a POSIX environment,
 has set the disposition of the SIGPIPE signal to ignore. SIGPIPE is a
 kluge for applications that don't check the result of the write/send
 family of system calls. Any well-written application should ignore it.
 
 
 -- 
 Michael Wojcik
 Technology Specialist, Micro Focus
 
 
 
 This message has been scanned for malware by Websense. www.websense.com
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org

-- 
http://www.fastmail.fm - Same, same, but different...

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org