BUG/MINOR: ssl: assert on SSL_set_shutdown with BoringSSL
With BoringSSL:
SSL_set_shutdown: Assertion `(SSL_get_shutdown(ssl) & mode) == SSL_get_shutdown(ssl)' failed.
"SSL_set_shutdown causes ssl to behave as if the shutdown bitmask (see SSL_get_shutdown)
were mode. This may be used to skip sending or receiving close_notify in SSL_shutdown by
causing the implementation to believe the events already happened.
It is an error to use SSL_set_shutdown to unset a bit that has already been set.
Doing so will trigger an assert in debug builds and otherwise be ignored.
Use SSL_CTX_set_quiet_shutdown instead."
Change logic to not notify on SSL_shutdown when connection is not clean.
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 32f290b..62b983a 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4022,15 +4022,15 @@
{
if (conn->flags & CO_FL_HANDSHAKE)
return;
+ if (!clean)
+ /* don't sent notify on SSL_shutdown */
+ SSL_CTX_set_quiet_shutdown(conn->xprt_ctx, 1);
/* no handshake was in progress, try a clean ssl shutdown */
- if (clean && (SSL_shutdown(conn->xprt_ctx) <= 0)) {
+ if (SSL_shutdown(conn->xprt_ctx) <= 0) {
/* Clear openssl global errors stack */
ssl_sock_dump_errors(conn);
ERR_clear_error();
}
-
- /* force flag on ssl to keep session in cache regardless shutdown result */
- SSL_set_shutdown(conn->xprt_ctx, SSL_SENT_SHUTDOWN);
}
/* used for logging, may be changed for a sample fetch later */