What is the best practise for shutdown SSL connections?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi, Viktor.

02.02.2015, 02:08, "Viktor Dukhovni" <openssl-users at dukhovni.org>:
> On Mon, Feb 02, 2015 at 01:32:42AM +0300, Serj wrote:
>> ?But what about the best practice for shutdown of connection on the client side?
>
> ????http://tools.ietf.org/html/rfc5246#section-7.2.1

I read RFC. Have read "7.2.1. Closure Alerts" once again.
But this is the normative document. I ask: what in practise in terms of OpenSSL API?

As I already said some servers don't send "close_notify" and just close the connection.

So I think the shutdown algorithm for SSL client must be the following:
-------------------------------------------------------------------------
//...
//all data was obtained from the server

if (SSL_shutdown(ssl)==1)
{
  closesocket(s)
  goto l_shutdown_complete;
}

shutdown(s,SD_SEND);

//set timeout for getting "close_notify" from SERVER
//in the cycle... waiting events from socket or timeout (which comes first):
//
//1. process SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE (in this case only SSL_ERROR_WANT_READ because seems to be SSL_shutdown() send "close_notify" alert to SERVER), call SSL_shutdown() once again and examine it's return value for 1 OR examine SSL_get_shutdown() for (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)
//
//2. Wait FD_CLOSE
//
//3. Timeout

//if one of three happens closesocket(s)
-------------------------------------------------------------------------



>> ?And what about the best practice for shutdown of connection on the server
>> ?side? Is it mandatory to wait "close_notify" from client to be able to
>> ?save valid session for this client or not? If server close the connection
>> ?after all data has been sent to the client and don't receive "close_notify",
>> ?will be the session kept?
>
> ????http://tools.ietf.org/html/rfc5246#section-7.2.1

I ask: what in practise in terms of OpenSSL API?
If SERVER close the connection after all data has been sent to the client and will not wait for "close_notify" alert from CLIENT, will be the session kept and valid in OpenSLL API?
I mean, can CLIENT then reuse this session, if it doesn't send "close_notify" alert? Or this session will be invalid?

--
Best Regards,

Serj
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux