OpenSSL SSL_shutdown behavior

To: tech-crypto%netbsd.org@localhost
Subject: OpenSSL SSL_shutdown behavior
From: Thor Lancelot Simon <tls%netbsd.org@localhost>
Date: Mon, 2 Jun 2008 19:44:14 -0400

It's been the subject of regular comment on the openssl-dev list that
SSL_shutdown() doesn't reliably indicate, for a non-blocking connection,
which way you need to select for I/O ready -- forcing applications to
apply strange and horrible workarounds to avoid hanging or spinning if
they try to tidily (bidirectionally) shut down an SSL session.

A patch to fix this was offered to OpenSSL about two years ago (and
has been repeatedly re-offered each time the subject has come up)
but the OpenSSL maintainers for some reason seem to simply ignore it.
The patch adds -1 as a possible return value for SSL_shutdown and
causes the library to place WANT_READ or WANT_WRITE on the library's
error stack instead of SSL_ERROR_SYSCALL which is unuseful for telling
which way to select!

I would like to commit that patch to NetBSD.  It is really the only
sane solution.  But since the OpenSSL developers have been all up in
arms about others maintaining local patches to their Holy Source Code
since Debian gave them the opportunity, I thought I should check here
first...

Rationale for the patch (which doesn't note some of the other really
problematic use cases for the current "API") is at:
        http://marc.info/?l=openssl-dev&m=115153998821797&w=2
Patch itself is at:
        http://marc.info/?l=openssl-dev&m=115154030723033&q=p3

Thor

Follow-Ups:
- Re: OpenSSL SSL_shutdown behavior
  - From: Christos Zoulas

Prev by Date: Re: Bumping shlib majors (was: CVS commit: src/lib/libcrypto)
Next by Date: Soekris vpn1411 (Hifn 7955) not working
Previous by Thread: Re: Bumping shlib majors (was: CVS commit: src/lib/libcrypto)
Next by Thread: Re: OpenSSL SSL_shutdown behavior
Indexes:

Home | Main Index | Thread Index | Old Index