From: Willy Tarreau <w@1wt.eu>
Date: Fri, 19 Oct 2012 18:52:18 +0000 (+0200)
Subject: MINOR: ssl: improve socket behaviour upon handshake abort.
X-Git-Tag: v1.5-dev13~132
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=566dc5545bb4c55fdfd883ffa3bdcd6485f6f80e;p=thirdparty%2Fhaproxy.git

MINOR: ssl: improve socket behaviour upon handshake abort.

While checking haproxy's SSL stack with www.ssllabs.com, it appeared that
immediately closing upon a failed handshake caused a TCP reset to be emitted.
This is because OpenSSL does not consume pending data in the socket buffers.
One side effect is that if the reset packet is lost, the client might not get
it. So now when a handshake fails, we try to clean the socket buffers before
closing, resulting in a clean FIN instead of an RST.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f5e68b1d35..9c60679cb1 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -856,6 +856,12 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag)
 		}
 		else {
 			/* Fail on all other handshake errors */
+			/* Note: OpenSSL may leave unread bytes in the socket's
+			 * buffer, causing an RST to be emitted upon close() on
+			 * TCP sockets. We first try to drain possibly pending
+			 * data to avoid this as much as possible.
+			 */
+			ret = recv(conn->t.sock.fd, trash, trashlen, MSG_NOSIGNAL|MSG_DONTWAIT);
 			goto out_error;
 		}
 	}