Hi, Viktor. 01.02.2015, 23:50, "Viktor Dukhovni" <openssl-users at dukhovni.org>: > On Sun, Feb 01, 2015 at 11:36:20PM +0300, Serj wrote: >> ?1. Return values for SSL_shutdown() > > ????0 ?initially if shutdown alert sent, but not yet received from > ???????the peer. >> ?I never get 2 as a return value! > > Why do you expect "2"? ?[ Note, something is screwing up itemized > lists in the on-line documentation. ?Instead of showing item labels, > item numbers are showing up instead. ] Here: https://www.openssl.org/docs/ssl/SSL_shutdown.html I see only this: ----------------------------------------------------- RETURN VALUES The following return values can occur: 1. The shutdown is not yet finished. Call SSL_shutdown() for a second time, if a bidirectional shutdown shall be performed. The output of SSL_get_error may be misleading, as an erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred. 2. The shutdown was successfully completed. The "close notify" alert was sent and the peer's "close notify" alert was received. <0 The shutdown was not successful because a fatal error occurred either at the protocol level or a connection failure occurred. It can also occur if action is need to continue the operation for non-blocking BIOs. Call SSL_get_error with the return value ret to find out the reason. ----------------------------------------------------- >?The nroff manpage says: > ????RETURN VALUES > ???????The following return values can occur: > > ???????0 ??The shutdown is not yet finished. Call SSL_shutdown() for a second time, if a bidirectional > ???????????shutdown shall be performed. ?The output of SSL_get_error(3) may be misleading, as an erroneous > ???????????SSL_ERROR_SYSCALL may be flagged even though no error occurred. > > ???????1 ??The shutdown was successfully completed. The "close notify" alert was sent and the peer's "close > ???????????notify" alert was received. > > ???????-1 ?The shutdown was not successful because a fatal error occurred either at the protocol level or a > ???????????connection failure occurred. It can also occur if action is need to continue the operation for > ???????????non-blocking BIOs. ?Call SSL_get_error(3) with the return value ret to find out the reason. Seems to be this is right. This is exactly what I wanted to see here: https://www.openssl.org/docs/ssl/SSL_shutdown.html >> ?2. What is the best practise for shutdown SSL connections for CLIENT? > > Call ssl_shutdown() and if it returns 0, call it again processing > WANT_READ/WANT_WRITE as required. I use non-blocking sockets. That's why I got -1 as return value after first ssl_shutdown(). I process WANT_READ/WANT_WRITE. But some servers don't send "close_notify", so we never got a 1 as a return value. We must be sure that server got a "close_notify" - this is the question! What is the best practise for that? -- Best Regards, Serj
