You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@trafficserver.apache.org by Susan Hinrichs <sh...@network-geographics.com> on 2015/02/05 16:35:57 UTC
One last query out about using SSL_CTX_set_quiet_shutdown
I'm trying to close out TS-2941.
Because ATS has SSL_CTX_set_quiet_shutdown enabled, it does not send
close_notify before shutting down the SSL connection. This does not
follow the TLS standard and causes the clients to set RSTs.
Can anyone remember why we are explicitly enabling
SSL_CTX_set_quiet_shutdown? If we don't remember why, I'm going to pull
it out so we operate in accordance with the standard.
Re: One last query out about using SSL_CTX_set_quiet_shutdown
Posted by Susan Hinrichs <sh...@network-geographics.com>.
Actually I got some insight from reading the SSL_shutdown man page
https://www.openssl.org/docs/ssl/SSL_shutdown.html.
If you enable quiet_shutdown, the SSL_shutdown will always return with
success. Otherwise, you may need to call SSL_shutdown multiple times
(much as you do with SSL_accept), to get the close_notify handshake
through.
Based on that, I'm assuming the original motivation for using
quiet_shutdown was programming expediency. I'm move on assuming that.
If anyone else has additional insights, I'd appreciate hearing them.
Thanks,
Susan
On 2/5/2015 9:35 AM, Susan Hinrichs wrote:
> I'm trying to close out TS-2941.
>
> Because ATS has SSL_CTX_set_quiet_shutdown enabled, it does not send
> close_notify before shutting down the SSL connection. This does not
> follow the TLS standard and causes the clients to set RSTs.
>
> Can anyone remember why we are explicitly enabling
> SSL_CTX_set_quiet_shutdown? If we don't remember why, I'm going to
> pull it out so we operate in accordance with the standard.