From: Emmanuel Hocdet <manu@gandi.net>
Date: Sun, 8 Jan 2017 13:07:39 +0000 (+0100)
Subject: BUG/MINOR: ssl: assert on SSL_set_shutdown with BoringSSL
X-Git-Tag: v1.8-dev1~169
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=405ff31;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl: assert on SSL_set_shutdown with BoringSSL

With BoringSSL:
SSL_set_shutdown: Assertion `(SSL_get_shutdown(ssl) & mode) == SSL_get_shutdown(ssl)' failed.

"SSL_set_shutdown causes ssl to behave as if the shutdown bitmask (see SSL_get_shutdown)
were mode. This may be used to skip sending or receiving close_notify in SSL_shutdown by
causing the implementation to believe the events already happened.
It is an error to use SSL_set_shutdown to unset a bit that has already been set.
Doing so will trigger an assert in debug builds and otherwise be ignored.
Use SSL_CTX_set_quiet_shutdown instead."

Change logic to not notify on SSL_shutdown when connection is not clean.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 32f290b452..62b983aa43 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4022,15 +4022,15 @@ static void ssl_sock_shutw(struct connection *conn, int clean)
 {
 	if (conn->flags & CO_FL_HANDSHAKE)
 		return;
+	if (!clean)
+		/* don't sent notify on SSL_shutdown */
+		SSL_CTX_set_quiet_shutdown(conn->xprt_ctx, 1);
 	/* no handshake was in progress, try a clean ssl shutdown */
-	if (clean && (SSL_shutdown(conn->xprt_ctx) <= 0)) {
+	if (SSL_shutdown(conn->xprt_ctx) <= 0) {
 		/* Clear openssl global errors stack */
 		ssl_sock_dump_errors(conn);
 		ERR_clear_error();
 	}
-
-	/* force flag on ssl to keep session in cache regardless shutdown result */
-	SSL_set_shutdown(conn->xprt_ctx, SSL_SENT_SHUTDOWN);
 }
 
 /* used for logging, may be changed for a sample fetch later */