[asterisk-bugs] [JIRA] Commented: (ASTERISK-18342) close() before SSL_Shutdown() in ssl_close()

Matt Jordan (JIRA) noreply at issues.asterisk.org
Mon Aug 27 10:43:07 CDT 2012


    [ https://issues.asterisk.org/jira/browse/ASTERISK-18342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=196249#comment-196249 ] 

Matt Jordan commented on ASTERISK-18342:
----------------------------------------

The ssl_close function was reworked to do the following:

* If the cookie file descriptor is not valid, do nothing.
* Call SSL_shutdown on the cookie
* Call SSL_free on the cookie
* Close the cookie file descriptor

A comment in the code addresses the asynchronous concern:

"According to the TLS standard, it is acceptable for an application to only send its shutdown alert and then close the underlying connection without waiting for the peer's response (this way resources can be saved, as the process can already terminate or serve another connection)"

Note that this explains why SSL_shutdown is now called first on the cookie, before closing the file descriptor.

> close() before SSL_Shutdown() in ssl_close()
> --------------------------------------------
>
>                 Key: ASTERISK-18342
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-18342
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/TCP-TLS
>    Affects Versions: SVN, 1.8.4
>            Reporter: Stephane Chazelas
>
> In http://svn.digium.com/svn/asterisk/trunk/main/tcptls.c
> {code}
> static int ssl_close(void *cookie)
> {
>         close(SSL_get_fd(cookie));
>         SSL_shutdown(cookie);
>         SSL_free(cookie);
>         return 0;
> }
> {code}
> If I understand correctly, that means that the SSL socket won't be torn down correctly, and the SSL_shutdown() is useless.
> Is there any reason for it being that way?

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira



More information about the asterisk-bugs mailing list