# HG changeset patch
# User Judson Wilson <wilson.judson@gmail.com>
# Date 1449296759 0
# Sat Dec 05 06:25:59 2015 +0000
# Node ID f41799d322f02c8998a800953d81e7274a9d3376
# Parent cb31017e961b4a54e83c4fc1be46c18842696207
SSL: shutdown cleanly when other endpoint starts shutdown

Before this change, if the other endpoint sends an SSL close_notify, nginx
will kill the SSL connection without sending a close_notify in response.
This behavior does not follow RFC 5246 section 7.2.1:

Unless some other fatal alert has been transmitted, each party is
required to send a close_notify alert before closing the write side
of the connection.

This change fixes this behavior in this specific situation, causing
nginx to reply with a close_notify before shutting down the conneciton.

diff -r cb31017e961b -r f41799d322f0 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Wed Dec 02 19:17:19 2015 -0800
+++ b/src/event/ngx_event_openssl.c Sat Dec 05 06:25:59 2015 +0000
@@ -1472,7 +1472,6 @@
}

c->ssl->no_wait_shutdown = 1;
- c->ssl->no_send_shutdown = 1;

if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) {
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
@@ -1480,6 +1479,8 @@
return NGX_DONE;
}

+ c->ssl->no_send_shutdown = 1;
+
ngx_ssl_connection_error(c, sslerr, err, "SSL_read() failed");

return NGX_ERROR;

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel