ngx_ssl_shutdown() using SSL_shutdown() incorrectly?
Judson Wilson
wilson.judson at gmail.com
Thu Dec 3 07:54:34 UTC 2015
> SSL_shutdown() never returned -1 prior to 0.9.8m version despite man page.
Ah, I didn't check that far back.
I'll take this opportunity to remind everyone who might read this that
support for all versions of OpenSSL before 1.0.1 ceases at the end of this
month.
https://openssl.org/policies/releasestrat.html
On Wed, Dec 2, 2015 at 11:39 PM, Igor Sysoev <igor at sysoev.ru> wrote:
> On 03 Dec 2015, at 10:28, Judson Wilson <wilson.judson at gmail.com> wrote:
>
> On inspecting some code for academic reasons, I noticed that
> ngx_ssl_shutdown() looks like it might be using SSL_shutdown() incorrectly?
>
> I haven't actually "used" the code, and have not tested it or seen any
> symptoms.
>
>
> The first hint of a problem is the following comment:
>
> /* SSL_shutdown() never returns -1, on error it returns 0 */
>
> which does not match the OpenSSL man page very well, or the OpenSSL
> function ssl3_shutdown() definition.
>
>
> SSL_shutdown() never returned -1 prior to 0.9.8m version despite man page.
>
> Second, it appears that with the way SSL_set_shutdown() is being used to
> stuff flags into the SSL state, SSL_shutdown() should be called until it
> returns 1, which may take multiple calls, even if there isn't a WANT_READ
> or WANT_WRITE condition upon returning -1 (or 0?). Generally one call is
> used to send a close_notify, which returns 0 (assuming SSL_set_shutdown
> hasn't stuffed in SSL_RECEIVED_SHUTDOWN), and further calls wont return 1
> until it receives close_notify.
>
> Quite possibly I am missing some assumptions, which would make good
> comments in the code.
>
> I hope this is useful.
>
>
> Now code and the comment should be changed, thank you.
>
>
> --
> Igor Sysoev
> http://nginx.com
>
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20151202/ea2428f2/attachment.html>
More information about the nginx-devel
mailing list