MINOR: ssl: improve socket behaviour upon handshake abort.

While checking haproxy's SSL stack with www.ssllabs.com, it appeared that
immediately closing upon a failed handshake caused a TCP reset to be emitted.
This is because OpenSSL does not consume pending data in the socket buffers.
One side effect is that if the reset packet is lost, the client might not get
it. So now when a handshake fails, we try to clean the socket buffers before
closing, resulting in a clean FIN instead of an RST.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f5e68b1d35b39ac7eac237b4f266c9b247667050..9c60679cb1c3cfe05d76e6f9b7a018223e22215c 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -856,6 +856,12 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag)
                }
                else {
                        /* Fail on all other handshake errors */
+                       /* Note: OpenSSL may leave unread bytes in the socket's
+                        * buffer, causing an RST to be emitted upon close() on
+                        * TCP sockets. We first try to drain possibly pending
+                        * data to avoid this as much as possible.
+                        */
+                       ret = recv(conn->t.sock.fd, trash, trashlen, MSG_NOSIGNAL|MSG_DONTWAIT);
                        goto out_error;
                }
        }