George,
I don't really know what happens in the SSLv2 case. SSLv2 has no
close_notify message, so there's no secure way for SSL to know that a
connection is being closed. The higher level protocol must provide some
equivalent secure mechanism for connection closure, or you are vulnerable to
truncation attacks.
When you call SSL_shutdown() on an SSLv2 connection, the library doesn't
actually do much of anything except mark the connection as having been
shutdown. So I don't know what happens, you'll have to try it and see or
perhaps someone else can answer.
In SSLv2, without a Content-Length header or some other heursitic (like
looking for the </HTML> tag), how can your client be certain the transport
closure packet (TCP FIN) wasn't spoofed?
_____________________________________
Greg Stark
Ethentica, Inc.
[EMAIL PROTECTED]
_____________________________________
----- Original Message -----
From: "Shaw, George" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, April 18, 2001 1:25 PM
Subject: RE: Closing SSL connections
> Thanks Greg,
>
> Does this mean that SSL v2 would return a different return code from
> SSL_read? And if not then how can I check for the particular circumstance
> of a socket disconnection in this mode. I'm just trying to get a handle
on
> how I can support the RFC with SSL v2, it must have been done by others
> before now.
>
> G.
>
> -----Original Message-----
> From: Greg Stark [mailto:[EMAIL PROTECTED]]
> Sent: 18 April 2001 18:14
> To: [EMAIL PROTECTED]
> Subject: Re: Closing SSL connections
>
>
> It is safe to treat this as a non-error if you are using SSL version 3 or
> higher, but not if you connected with SSL version 2. So do not use SSL v2.
>
> Sending an SSL_shutdown() is the safe way to close the connection, but it
> may have performace implications because of the rules OpenSSL uses for
> managing session resumption. See the documentation for SSL_set_shutdown()
> (http://www.openssl.org/docs/ssl/SSL_set_shutdown.html#) for some hints of
> what to do.
>
> _____________________________________
> Greg Stark
> Ethentica, Inc.
> [EMAIL PROTECTED]
> _____________________________________
>
>
>
> ----- Original Message -----
> From: "Shaw, George" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, April 18, 2001 12:38 PM
> Subject: Closing SSL connections
>
>
> > Hi,
> >
> > I'm working with an HTTP application, and according to the RFC when
> sending
> > the HTTP response it is permissible to signal the end of the response by
> > closing the socket (rather than using the Content-Length header).
> >
> > When implementing the HTTP client using SSL, SSL_read will return
> > SSL_ERROR_ZERO_RETURN. Is it safe to treat this as a non-error. i.e.
> there
> > are no other circumstances in which this return code will signal a true
> > error?
> >
> > When implementing the HTTP server using SSL, is it safe to issue an
> > SSL_shutdown and a socket disconnect while the client is listening?
> >
> > Thanks,
> >
> > G.
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
