Re: Close TCP socket after SSL_clear()?

["Charles Mills" <charlesm@xxxxxxx>]

@Karl, thanks, I’m not sure of anything. This was my first OpenSSL project and I just hacked on it until it “worked.” It’s been working for years but now we are seeing a re-connection error.

 

So, it sounds like

 

·         Do the SSL_shutdown() a second time if it returns 0.

·         Lose the SSL_clear()

·         There is an SSL_free() in there following the snippet I pasted – leave it in there

·         Clean up the underlying socket appropriately. Looks like perhaps shutdown(socket, SD_BOTH) is the Windows equivalent of SHUT_RDWR – followed by closesocket()

 

Thanks again!

 

Charles

 

From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of Karl Denninger
Sent: Friday, January 11, 2019 10:04 AM
To: openssl-users@xxxxxxxxxxx
Subject: Re: Close TCP socket after SSL_clear()?

 

 

On 1/10/2019 17:07, Charles Mills wrote:

On Windows, for a new session, I am issuing a Windows accept() followed by SSL_new(), SSL_set_fd() and so forth.

 

When the session sees some sort of an abnormal receive condition, I am doing

 

       int retCode = SSL_get_shutdown(sessionSSL);

       if ( retCode & SSL_RECEIVED_SHUTDOWN )

       {

              SSL_shutdown(sessionSSL);

       }

       else

       {

              SSL_clear(sessionSSL);

       }

 

Questions:

 

1.       Do I also need to do a closesocket() (equivalent to UNIX close()) on the Windows socket?

2.       Does anyone want to critique the above logic in any other way?

 

The code basically “works” but I see evidence that a Windows TCP session is still open following an SSL error.

 

Thanks,

 

Charles Mills

 

Are you sure you want to use SSL_clear() in the first place?  It retains the session's settings which is only useful if the *exact* same peer is going to reconnect on the same SSL object.  If a *different* peer connects there's a decent shot that the connection will fail.

You also likely want to call SSL_shutdown(connection) again IF the first call returns zero; the first one sends a notification and if the other end hasn't closed yet returns zero.  The second waits for a termination, either normal notification or abnormal, from the other end.

    if (!SSL_shutdown(connection)) {
        SSL_shutdown(connection)
    }

The underlying handle is still open at the OS level after this, so on Unix anyway you want to notify the OS that the socket is invalid for further I/O and then close it.

Code snippet (took_error is a flag that says "this connection is no longer needed", it's could be either an error in the higher level code or a "we're all done, let this connection go" indication):

                if (slave_socket[x].took_error) {
                    slave_socket[x].connected = 0;  /* Connection is void */
                    if (slave_socket[x].ssl_fd != NULL) { /* If there's a valid SSL connection */
                        if (!SSL_shutdown(slave_socket[x].ssl_fd)) {
                            SSL_shutdown(slave_socket[x].ssl_fd);
                        }
                        SSL_free(slave_socket[x].ssl_fd);
                        slave_socket[x].ssl = 0; /* We are not in SSL mode */
                    }
                    shutdown(slave_socket[x].fd, SHUT_RDWR);
                    close(slave_socket[x].fd);

                    ..... Clean up the rest of the things you need to do when the connection ends

Since the next connection may come from a different peer I do not use SSL_clear but rather SSL_free.

The call to shutdown() tells the OS to send any data queued on the socket, wait for an ACK and then send FIN.

--
Karl Denninger
karl@xxxxxxxxxxxxx
The Market Ticker
[S/MIME encrypted email preferred]

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users