Hi, Viktor.
01.02.2015, 23:50, "Viktor Dukhovni" <openssl-us...@dukhovni.org>: > On Sun, Feb 01, 2015 at 11:36:20PM +0300, Serj wrote: >> 1. Return values for SSL_shutdown() > > 0 initially if shutdown alert sent, but not yet received from > the peer. >> I never get 2 as a return value! > > Why do you expect "2"? [ Note, something is screwing up itemized > lists in the on-line documentation. Instead of showing item labels, > item numbers are showing up instead. ] Here: https://www.openssl.org/docs/ssl/SSL_shutdown.html I see only this: ----------------------------------------------------- RETURN VALUES The following return values can occur: 1. The shutdown is not yet finished. Call SSL_shutdown() for a second time, if a bidirectional shutdown shall be performed. The output of SSL_get_error may be misleading, as an erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred. 2. The shutdown was successfully completed. The "close notify" alert was sent and the peer's "close notify" alert was received. <0 The shutdown was not successful because a fatal error occurred either at the protocol level or a connection failure occurred. It can also occur if action is need to continue the operation for non-blocking BIOs. Call SSL_get_error with the return value ret to find out the reason. ----------------------------------------------------- > The nroff manpage says: > RETURN VALUES > The following return values can occur: > > 0 The shutdown is not yet finished. Call SSL_shutdown() for a second > time, if a bidirectional > shutdown shall be performed. The output of SSL_get_error(3) may > be misleading, as an erroneous > SSL_ERROR_SYSCALL may be flagged even though no error occurred. > > 1 The shutdown was successfully completed. The "close notify" alert > was sent and the peer's "close > notify" alert was received. > > -1 The shutdown was not successful because a fatal error occurred > either at the protocol level or a > connection failure occurred. It can also occur if action is need > to continue the operation for > non-blocking BIOs. Call SSL_get_error(3) with the return value > ret to find out the reason. Seems to be this is right. This is exactly what I wanted to see here: https://www.openssl.org/docs/ssl/SSL_shutdown.html >> 2. What is the best practise for shutdown SSL connections for CLIENT? > > Call ssl_shutdown() and if it returns 0, call it again processing > WANT_READ/WANT_WRITE as required. I use non-blocking sockets. That's why I got -1 as return value after first ssl_shutdown(). I process WANT_READ/WANT_WRITE. But some servers don't send "close_notify", so we never got a 1 as a return value. We must be sure that server got a "close_notify" - this is the question! What is the best practise for that? -- Best Regards, Serj _______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
