MINOR: ssl: improve socket behaviour upon handshake abort. While checking haproxy's SSL stack with www.ssllabs.com, it appeared that immediately closing upon a failed handshake caused a TCP reset to be emitted. This is because OpenSSL does not consume pending data in the socket buffers. One side effect is that if the reset packet is lost, the client might not get it. So now when a handshake fails, we try to clean the socket buffers before closing, resulting in a clean FIN instead of an RST.

commit: 566dc5545bb4c55fdfd883ffa3bdcd6485f6f80e [log] [tgz]
author: Willy Tarreau <w@1wt.eu> Fri Oct 19 20:52:18 2012 +0200
committer: Willy Tarreau <w@1wt.eu> Fri Oct 19 20:56:59 2012 +0200
tree: e8dc47596a9d2dd2d0015b2a6f33436c65ca9a26
parent: 2e845be2492852b69b581c2fd11147633087ddab [diff]
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f5e68b1..9c60679 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -856,6 +856,12 @@
 		}
 		else {
 			/* Fail on all other handshake errors */
+			/* Note: OpenSSL may leave unread bytes in the socket's
+			 * buffer, causing an RST to be emitted upon close() on
+			 * TCP sockets. We first try to drain possibly pending
+			 * data to avoid this as much as possible.
+			 */
+			ret = recv(conn->t.sock.fd, trash, trashlen, MSG_NOSIGNAL|MSG_DONTWAIT);
 			goto out_error;
 		}
 	}
commit	566dc5545bb4c55fdfd883ffa3bdcd6485f6f80e	[log] [tgz]
author	Willy Tarreau <w@1wt.eu>	Fri Oct 19 20:52:18 2012 +0200
committer	Willy Tarreau <w@1wt.eu>	Fri Oct 19 20:56:59 2012 +0200
tree	e8dc47596a9d2dd2d0015b2a6f33436c65ca9a26
parent	2e845be2492852b69b581c2fd11147633087ddab [diff]