From: William Lallemand <wlallemand@haproxy.org>
Date: Mon, 26 Jun 2023 15:42:09 +0000 (+0200)
Subject: MEDIUM: ssl: handle the SSL_ERROR_ZERO_RETURN during the handshake
X-Git-Tag: v2.9-dev1~31
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e8e5762389c56ba0d794ecc43d8a1b26667c9c56;p=thirdparty%2Fhaproxy.git

MEDIUM: ssl: handle the SSL_ERROR_ZERO_RETURN during the handshake

During a SSL_do_handshake(), SSL_ERROR_ZERO_RETURN can be returned in case
the remote peer sent a close_notify alert. Previously this would set the
connection error to CO_ER_SSL_HANDSHAKE, this patch sets it to
CO_ER_SSL_ABORT to have a more acurate error.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index ff0db9d1a1..9af57cce1a 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5984,6 +5984,14 @@ check_error:
 #endif /* BoringSSL or LibreSSL */
 			}
 			goto out_error;
+
+		} else if (ret == SSL_ERROR_ZERO_RETURN) {
+			/* The peer has closed the SSL session for writing by
+			 * sending a close_notify alert */
+			conn_ctrl_drain(conn);
+			conn->err_code = CO_ER_SSL_ABORT;
+			goto out_error;
+
 		}
 		else {
 			/* Fail on all other handshake errors */