Hi,
i am using Tomcat based on APR/OpenSSL and have observed that shutdown behavior
in bad case is not clean. For example if OpenSSL verify callback verify the
peer certificate(s) and verification is failed e.g. unknown_certificate,
revoked etc. OpenSSL sets a handshake error with an alert message
"unknown_certificate etc.". But this alert is not sent to the peer. I traced
with wireshark. The following method in OpenSSLEngine.unwrap is invoked and
throws the SSLException.
private int pendingReadableBytesInSSL() throws SSLException {
// NOTE: Calling a fake read is necessary before calling
pendingReadableBytesInSSL because // SSL_pending will return 0 if
OpenSSL has not started the current TLS record // See
https://www.openssl.org/docs/manmaster/ssl/SSL_pending.html int
lastPrimingReadResult = SSL.readFromSSL(ssl, EMPTY_ADDR, 0); // priming read
// check if SSL_read returned <= 0. In this case we need to check the error
and see if it was something // fatal. if (lastPrimingReadResult
<= 0) { // Check for OpenSSL errors caused by the priming read
long error = SSL.getLastErrorNumber(); if (error !=
SSL.SSL_ERROR_NONE) { String err = SSL.getErrorString(error);
if (logger.isDebugEnabled()) {
logger.debug(sm.getString("engine.readFromSSLFailed", Long.toString(error),
Integer.toString(lastPrimingReadResult), err));
} // There was an internal error -- shutdown
shutdown(); throw new SSLException(err); } }
return SSL.pendingReadableBytesInSSL(ssl); }
The exception is thrown because OpenSSL has already set an error for
verification failed. But there is still data (alert data with first byte 21) in
BIO that has not been transferred.
For my application a clean shutdown is a critical requirement. Is there
anything already in discussion about this issue or should i report as a bug?
Kind Regards,
Rashid Mahmood
