RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-03-23 03:16:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MINOR: ssl: assert on SSL_set_shutdown with BoringSSL

Browse Source 
With BoringSSL:
SSL_set_shutdown: Assertion `(SSL_get_shutdown(ssl) & mode) == SSL_get_shutdown(ssl)' failed.

"SSL_set_shutdown causes ssl to behave as if the shutdown bitmask (see SSL_get_shutdown)
were mode. This may be used to skip sending or receiving close_notify in SSL_shutdown by
causing the implementation to believe the events already happened.
It is an error to use SSL_set_shutdown to unset a bit that has already been set.
Doing so will trigger an assert in debug builds and otherwise be ignored.
Use SSL_CTX_set_quiet_shutdown instead."

Change logic to not notify on SSL_shutdown when connection is not clean.
This commit is contained in:
Emmanuel Hocdet 2017-01-08 14:07:39 +01:00 committed by Willy Tarreau
parent b7a4c34aac
commit 405ff31e31
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/ssl_sock.c
View File

@ -4022,15 +4022,15 @@ static void ssl_sock_shutw(struct connection *conn, int clean)
{
if (conn->flags & CO_FL_HANDSHAKE)
return;
if (!clean)
/* don't sent notify on SSL_shutdown */
SSL_CTX_set_quiet_shutdown(conn->xprt_ctx, 1);
/* no handshake was in progress, try a clean ssl shutdown */
if (clean && (SSL_shutdown(conn->xprt_ctx) <= 0)) {
if (SSL_shutdown(conn->xprt_ctx) <= 0) {
/* Clear openssl global errors stack */
ssl_sock_dump_errors(conn);
ERR_clear_error();
}
/* force flag on ssl to keep session in cache regardless shutdown result */
SSL_set_shutdown(conn->xprt_ctx, SSL_SENT_SHUTDOWN);
}
/* used for logging, may be changed for a sample fetch later */