One last query out about using SSL_CTX_set_quiet_shutdown

[Susan Hinrichs <sh...@network-geographics.com>]

I'm trying to close out TS-2941.

Because ATS has SSL_CTX_set_quiet_shutdown enabled, it does not send 
close_notify before shutting down the SSL connection.  This does not 
follow the TLS standard and causes the clients to set RSTs.

Can anyone remember why we are explicitly enabling 
SSL_CTX_set_quiet_shutdown?  If we don't remember why, I'm going to pull 
it out so we operate in accordance with the standard.

Re: One last query out about using SSL_CTX_set_quiet_shutdown

[Susan Hinrichs <sh...@network-geographics.com>]

Actually I got some insight from reading the SSL_shutdown man page 
https://www.openssl.org/docs/ssl/SSL_shutdown.html.

If you enable quiet_shutdown, the SSL_shutdown will always return with 
success.  Otherwise, you may need to call SSL_shutdown multiple times 
(much as you do with SSL_accept),  to get the close_notify handshake 
through.

Based on that, I'm assuming the original motivation for using 
quiet_shutdown was programming expediency.   I'm move on assuming that.

If anyone else has additional insights, I'd appreciate hearing them.

Thanks,
Susan

On 2/5/2015 9:35 AM, Susan Hinrichs wrote:
> I'm trying to close out TS-2941.
>
> Because ATS has SSL_CTX_set_quiet_shutdown enabled, it does not send 
> close_notify before shutting down the SSL connection.  This does not 
> follow the TLS standard and causes the clients to set RSTs.
>
> Can anyone remember why we are explicitly enabling 
> SSL_CTX_set_quiet_shutdown?  If we don't remember why, I'm going to 
> pull it out so we operate in accordance with the standard.