ngx_ssl_shutdown() using SSL_shutdown() incorrectly?

Igor Sysoev igor at
Thu Dec 3 07:39:44 UTC 2015

On 03 Dec 2015, at 10:28, Judson Wilson <wilson.judson at> wrote:

> On inspecting some code for academic reasons, I noticed that ngx_ssl_shutdown() looks like it might be using SSL_shutdown() incorrectly?
> I haven't actually "used" the code, and have not tested it or seen any symptoms.
> The first hint of a problem is the following comment:
>  /* SSL_shutdown() never returns -1, on error it returns 0 */
> which does not match the OpenSSL man page very well, or the OpenSSL function ssl3_shutdown() definition.

SSL_shutdown() never returned -1 prior to 0.9.8m version despite man page.

> Second, it appears that with the way SSL_set_shutdown() is being used to stuff flags into the SSL state, SSL_shutdown() should be called until it returns 1, which may take multiple calls, even if there isn't a WANT_READ or WANT_WRITE condition upon returning -1 (or 0?).  Generally one call is used to send a close_notify, which returns 0 (assuming SSL_set_shutdown hasn't stuffed in SSL_RECEIVED_SHUTDOWN), and further calls wont return 1 until it receives close_notify.
> Quite possibly I am missing some assumptions, which would make good comments in the code.
> I hope this is useful.

Now code and the comment should be changed, thank you.

Igor Sysoev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx-devel mailing list