ngx_ssl_shutdown() using SSL_shutdown() incorrectly?
Igor Sysoev
igor at sysoev.ru
Thu Dec 3 07:39:44 UTC 2015
On 03 Dec 2015, at 10:28, Judson Wilson <wilson.judson at gmail.com> wrote:
> On inspecting some code for academic reasons, I noticed that ngx_ssl_shutdown() looks like it might be using SSL_shutdown() incorrectly?
>
> I haven't actually "used" the code, and have not tested it or seen any symptoms.
>
>
> The first hint of a problem is the following comment:
>
> /* SSL_shutdown() never returns -1, on error it returns 0 */
>
> which does not match the OpenSSL man page very well, or the OpenSSL function ssl3_shutdown() definition.
SSL_shutdown() never returned -1 prior to 0.9.8m version despite man page.
> Second, it appears that with the way SSL_set_shutdown() is being used to stuff flags into the SSL state, SSL_shutdown() should be called until it returns 1, which may take multiple calls, even if there isn't a WANT_READ or WANT_WRITE condition upon returning -1 (or 0?). Generally one call is used to send a close_notify, which returns 0 (assuming SSL_set_shutdown hasn't stuffed in SSL_RECEIVED_SHUTDOWN), and further calls wont return 1 until it receives close_notify.
>
> Quite possibly I am missing some assumptions, which would make good comments in the code.
>
> I hope this is useful.
Now code and the comment should be changed, thank you.
--
Igor Sysoev
http://nginx.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20151203/47b43124/attachment.html>
More information about the nginx-devel
mailing list