[asterisk-dev] (ASTERISK-18342) close() before SSL_Shutdown() in ssl_close()

Wed Aug 31 04:06:51 CDT 2011

2011-08-30 14:00:48 -0500, Leif Madsen (JIRA):
>      [ https://issues.asterisk.org/jira/browse/ASTERISK-18342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
> 
> Leif Madsen updated ASTERISK-18342:
> -----------------------------------
> 
>     Assignee: Stephane Chazelas
>       Status: Waiting for Feedback  (was: Triage)
> 
> This is really a discussion item that should be brought up on
> the Asterisk-dev mailing list. Please reference this issue,
> but have the discussion on the mailing list. When it is
> determined to be a bug or not, please update the issue so it
> can be moved to the proper status. Thanks!
> 
> > close() before SSL_Shutdown() in ssl_close()
> > --------------------------------------------
> >
> >                 Key: ASTERISK-18342
> >                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-18342
> >             Project: Asterisk
> >          Issue Type: Bug
> >      Security Level: None
> >          Components: Channels/chan_sip/TCP-TLS
> >    Affects Versions: SVN, 1.8.4
> >            Reporter: Stephane Chazelas
> >            Assignee: Stephane Chazelas
> >
> > In http://svn.digium.com/svn/asterisk/trunk/main/tcptls.c
> > static int ssl_close(void *cookie)
> > {
> >         close(SSL_get_fd(cookie));
> >         SSL_shutdown(cookie);
> >         SSL_free(cookie);
> >         return 0;
> > }
> > If I understand correctly, that means that the SSL socket
> > won't be torn down correctly, and the SSL_shutdown() is
> > useless. Is there any reason for it being that way?
[...]

Hiya,

it says it all above. I noticed that behavior when observing
wireshark traces that showed an SSL connection ending up
abnormally (TCP connection close without "close notify" shutdown
alert), and saw that code above, so was wondering about the
rationale behind that (like forcing renegotiation of keys upon
reconnection or stuff like that).

It looks very much like a bug to me, or the lazy way to close a
non-blocking SSL connection (being non-blocking, the
SSL_shutdown would have to be done asynchronously which looks
like it's gonna be tricky with the current design).

See related Bug ASTERISK-18345

Best regards,
Stephane