tech-crypto archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

OpenSSL SSL_shutdown behavior



It's been the subject of regular comment on the openssl-dev list that
SSL_shutdown() doesn't reliably indicate, for a non-blocking connection,
which way you need to select for I/O ready -- forcing applications to
apply strange and horrible workarounds to avoid hanging or spinning if
they try to tidily (bidirectionally) shut down an SSL session.

A patch to fix this was offered to OpenSSL about two years ago (and
has been repeatedly re-offered each time the subject has come up)
but the OpenSSL maintainers for some reason seem to simply ignore it.
The patch adds -1 as a possible return value for SSL_shutdown and
causes the library to place WANT_READ or WANT_WRITE on the library's
error stack instead of SSL_ERROR_SYSCALL which is unuseful for telling
which way to select!

I would like to commit that patch to NetBSD.  It is really the only
sane solution.  But since the OpenSSL developers have been all up in
arms about others maintaining local patches to their Holy Source Code
since Debian gave them the opportunity, I thought I should check here
first...

Rationale for the patch (which doesn't note some of the other really
problematic use cases for the current "API") is at:
        http://marc.info/?l=openssl-dev&m=115153998821797&w=2
Patch itself is at:
        http://marc.info/?l=openssl-dev&m=115154030723033&q=p3

Thor


Home | Main Index | Thread Index | Old Index