Call SSL_shutdown() at least twice

author Michael Friedrich <michael.friedrich@icinga.com>

Mon, 10 Sep 2018 14:10:16 +0000 (16:10 +0200)

committer Michael Friedrich <michael.friedrich@icinga.com>

Wed, 5 Dec 2018 15:00:53 +0000 (16:00 +0100)
author Michael Friedrich <michael.friedrich@icinga.com>
Mon, 10 Sep 2018 14:10:16 +0000 (16:10 +0200)
committer Michael Friedrich <michael.friedrich@icinga.com>
Wed, 5 Dec 2018 15:00:53 +0000 (16:00 +0100)
diff --git a/lib/base/tlsstream.cpp b/lib/base/tlsstream.cpp

index e3c232bd0b44c181ead70bd33d300556af2ffb00..a694f86bf0445701959153eb638c5f897ed2f767 100644 (file)
--- a/lib/base/tlsstream.cpp
+++ b/lib/base/tlsstream.cpp
@@ -398,7 +398,20 @@ void TlsStream::CloseInternal(bool inDestructor)
         if (!m_SSL)
                 return;
  
-       (void)SSL_shutdown(m_SSL.get());
+       /* https://www.openssl.org/docs/manmaster/man3/SSL_shutdown.html
+        *
+        * It is recommended to do a bidirectional shutdown by checking
+        * the return value of SSL_shutdown() and call it again until
+        * it returns 1 or a fatal error. A maximum of 2x pending + 2x data
+        * is recommended.
+         */
+       int rc = 0;
+
+       for (int i = 0; i < 4; i++) {
+               if ((rc = SSL_shutdown(m_SSL.get())))
+                       break;
+       }
+
         m_SSL.reset();
  
         m_Socket->Close();
author	Michael Friedrich <michael.friedrich@icinga.com>
	Mon, 10 Sep 2018 14:10:16 +0000 (16:10 +0200)
committer	Michael Friedrich <michael.friedrich@icinga.com>
	Wed, 5 Dec 2018 15:00:53 +0000 (16:00 +0100)