jgrahamc
commented
9 years ago Worth seeing here how this is handled by a different project: https://github.com/droe/sslsplit/blob/master/pxysslshut.c
Open jgrahamc opened 9 years ago
jgrahamc
commented
9 years ago Worth seeing here how this is handled by a different project: https://github.com/droe/sslsplit/blob/master/pxysslshut.c
jgrahamc
commented
9 years ago From the OpenSSL documentation:
If the underlying BIO is non-blocking, SSL_shutdown() will also return
when the underlying BIO could not satisfy the needs of SSL_shutdown()
to continue the handshake. In this case a call to SSL_get_error() with
the return value of SSL_shutdown() will yield SSL_ERROR_WANT_READ or
SSL_ERROR_WANT_WRITE. The calling process then must repeat the call
after taking appropriate action to satisfy the needs of SSL_shutdown().
The action depends on the underlying BIO. When using a non-blocking
socket, nothing is to be done, but select() can be used to check for
the required condition. When using a buffering BIO, like a BIO pair,
data must be written into or retrieved out of the BIO before being able
to continue.
The return code from SSL_shutdown in kssl_thread.c is not correctly handled. In particular, the WANT_READ/WANT_WRITE return codes are not being handled and this could result in a dirty connection shutdown.
We need to correctly handle those conditions and wait for SSL_shutdown to return 1 before killing the TCP connection.