Re: Close TCP socket after SSL_clear()?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 1/10/2019 17:07, Charles Mills wrote:

On Windows, for a new session, I am issuing a Windows accept() followed by SSL_new(), SSL_set_fd() and so forth.

 

When the session sees some sort of an abnormal receive condition, I am doing

 

       int retCode = SSL_get_shutdown(sessionSSL);

       if ( retCode & SSL_RECEIVED_SHUTDOWN )

       {

              SSL_shutdown(sessionSSL);

       }

       else

       {

              SSL_clear(sessionSSL);

       }

 

Questions:

 

1.       Do I also need to do a closesocket() (equivalent to UNIX close()) on the Windows socket?

2.       Does anyone want to critique the above logic in any other way?

 

The code basically “works” but I see evidence that a Windows TCP session is still open following an SSL error.

 

Thanks,

 

Charles Mills


Are you sure you want to use SSL_clear() in the first place?  It retains the session's settings which is only useful if the *exact* same peer is going to reconnect on the same SSL object.  If a *different* peer connects there's a decent shot that the connection will fail.

You also likely want to call SSL_shutdown(connection) again IF the first call returns zero; the first one sends a notification and if the other end hasn't closed yet returns zero.  The second waits for a termination, either normal notification or abnormal, from the other end.

    if (!SSL_shutdown(connection)) {
        SSL_shutdown(connection)
    }

The underlying handle is still open at the OS level after this, so on Unix anyway you want to notify the OS that the socket is invalid for further I/O and then close it.

Code snippet (took_error is a flag that says "this connection is no longer needed", it's could be either an error in the higher level code or a "we're all done, let this connection go" indication):

                if (slave_socket[x].took_error) {
                    slave_socket[x].connected = 0;  /* Connection is void */
                    if (slave_socket[x].ssl_fd != NULL) { /* If there's a valid SSL connection */
                        if (!SSL_shutdown(slave_socket[x].ssl_fd)) {
                            SSL_shutdown(slave_socket[x].ssl_fd);
                        }
                        SSL_free(slave_socket[x].ssl_fd);
                        slave_socket[x].ssl = 0; /* We are not in SSL mode */
                    }
                    shutdown(slave_socket[x].fd, SHUT_RDWR);
                    close(slave_socket[x].fd);

                    ..... Clean up the rest of the things you need to do when the connection ends

Since the next connection may come from a different peer I do not use SSL_clear but rather SSL_free.

The call to shutdown() tells the OS to send any data queued on the socket, wait for an ACK and then send FIN.

--
Karl Denninger
karl@xxxxxxxxxxxxx
The Market Ticker
[S/MIME encrypted email preferred]

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux