Open Bug 69726 Opened 24 years ago Updated 2 years ago

SSL connections seldom shut down cleanly

Categories

(NSS :: Libraries, defect, P3)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

People

(Reporter: nelson, Unassigned)

Details

NSS's SSL/TLS code always sends a "close notify" alert 
immediately prior to closing the socket, if the connection
has previously begun (or completed) an SSL3/TLS handshake.  

I believe it was the original intent of the SSL 3 creators
that close notify alerts records would perform the same 
function at the SSL layer that FIN does in the TCP protocol,
and that both ends would be required to send it prior to 
normal shutdown.  That's why this code behaves as it does.

But commonly, the first side of the TLS connection to initiate
connection closure sends a close-notify alert and then immediately
closes the socket, making the socket unable to receive a 
close-notify alert in response from the other side.  If the other
sides replies to the close-notify alert by sending another close-
notify alert, it will typically receive a TCP RST response from
its peer.

So, I propose to change NSS's SSL/TLS code to remember if it 
has received a Close-Notify alert from the other side, and 
not send one prior to close if it has already received one.

This may improve performance.
The SSL code already remembers if it has read a close notify alert.
But it doesn't use that info when deciding whether or not to send
a close notify alert.

However, there's another problem. Unless there's a handshake in 
progress, NSS only reads from the socket when the application 
calls one of the read/recv functions.  So, it is possible that
a close notify alert has been received (at the TCP level), but
hasn't been read from the kernel's TCP buffers because the 
application hasn't done a read.  If the application does a
write, it will experience the TCP RST described above.

To really solve this problem requires adding recv buffering
into the SSL code, something we have not historically done
out of concerns for memory usage.
Priority: -- → P3
Maybe someday the "gather" engines will be re-written.  Then this bug
can be reconsidered.
Target Milestone: --- → Future
Changed the QA contact to Bishakha.
QA Contact: sonja.mirtitsch → bishakhabanerjee
QA Contact: bishakhabanerjee → jason.m.reid
Target Milestone: Future → ---
QA Contact: jason.m.reid → libraries
I agree that comment 4 was apparently placed into the wrong bug.  
I will mark the misplaced comment "private" to reduce confusion.
Assignee: nelson → nobody
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.