Hello,
Looking into what disables SO_KEEPALIVE option on neon (webdav lib)
sockets, where I added enabling it after socket creation (done in
single place), I've found that openssl's "apps/s_socket.c" has the code
to explicitly disable keepalives for stream sockets.
Current code ("init_client_ip" function) goes like this:
#if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE)
if (type == SOCK_STREAM)
{
i=0;
i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
if (i < 0) { perror("keepalive"); return(0); }
}
#endif
Seeking rationale for doing that, git-blame pointed to a huge commit
that did import of code from SSLeay, with no history (with possible
explaination) beyond that.
Looking at other ssl implementations' - gnutls and nss - code for the
same setsockopt (hopefully with comment about why it's there), I've
found no trace of tampering with it in either one.
Web search unfortunately also yielded no meaningful results.
So, I wonder, why openssl might want to explicitly disable it?
Does having SO_KEEPALIVE on has any known security implications?
Is it done because some code in openssl can't work reliably with that
option enabled (as so it's better to leave it disabled)?
Am I wrong about that particular code path and should look for
something else disabling keepalives - openssl doesn't do it?
Thanks in advance for any hints.
--
Mike Kazantsev // fraggod.net
signature.asc
Description: PGP signature
