From 405ff31e31eb1cbdc76ba0d93c6db4c7a3fd497a Mon Sep 17 00:00:00 2001 From: Emmanuel Hocdet Date: Sun, 8 Jan 2017 14:07:39 +0100 Subject: [PATCH] BUG/MINOR: ssl: assert on SSL_set_shutdown with BoringSSL With BoringSSL: SSL_set_shutdown: Assertion `(SSL_get_shutdown(ssl) & mode) == SSL_get_shutdown(ssl)' failed. "SSL_set_shutdown causes ssl to behave as if the shutdown bitmask (see SSL_get_shutdown) were mode. This may be used to skip sending or receiving close_notify in SSL_shutdown by causing the implementation to believe the events already happened. It is an error to use SSL_set_shutdown to unset a bit that has already been set. Doing so will trigger an assert in debug builds and otherwise be ignored. Use SSL_CTX_set_quiet_shutdown instead." Change logic to not notify on SSL_shutdown when connection is not clean. --- src/ssl_sock.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 32f290b452..62b983aa43 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -4022,15 +4022,15 @@ static void ssl_sock_shutw(struct connection *conn, int clean) { if (conn->flags & CO_FL_HANDSHAKE) return; + if (!clean) + /* don't sent notify on SSL_shutdown */ + SSL_CTX_set_quiet_shutdown(conn->xprt_ctx, 1); /* no handshake was in progress, try a clean ssl shutdown */ - if (clean && (SSL_shutdown(conn->xprt_ctx) <= 0)) { + if (SSL_shutdown(conn->xprt_ctx) <= 0) { /* Clear openssl global errors stack */ ssl_sock_dump_errors(conn); ERR_clear_error(); } - - /* force flag on ssl to keep session in cache regardless shutdown result */ - SSL_set_shutdown(conn->xprt_ctx, SSL_SENT_SHUTDOWN); } /* used for logging, may be changed for a sample fetch later */ -- 2.39.5