Message310410
You have to tell OpenSSL that a hard-close is expected and fine. If you just SSL_free() the SSL connection, then OpenSSL removes the session from the SSL_CTX's session cache. It assumes that something went wrong and defaults to secure defaults. "Wrong" doesn't necessarily mean that an attacker has compromised a connection.
In order to flag a session as valid, you have to SSL_set_quiet_shutdown(ssl, 1), SSL_shutdown(ssl), SSL_free(ss). With quiet shutdown set, SSL_shutdown() neither sends nor waits for any data.
One-way shutdown with non-blocking trick is evil. Cool hack :)
SSLSocket and SSLObject should really support different shutdown modes, e.g. s.shutdown(mode=0) for quiet, mode=1 for unidirectional and mode=2 for bidirectional. |
|
Date |
User |
Action |
Args |
2018-01-22 10:17:13 | christian.heimes | set | recipients:
+ christian.heimes, vstinner, alex, njs, martin.panter, cheryl.sabella |
2018-01-22 10:17:13 | christian.heimes | set | messageid: <1516616233.24.0.467229070634.issue27815@psf.upfronthosting.co.za> |
2018-01-22 10:17:13 | christian.heimes | link | issue27815 messages |
2018-01-22 10:17:13 | christian.heimes | create | |
|