Hi, i am using Tomcat based on APR/OpenSSL and have observed that shutdown behavior in bad case is not clean. For example if OpenSSL verify callback verify the peer certificate(s) and verification is failed e.g. unknown_certificate, revoked etc. OpenSSL sets a handshake error with an alert message "unknown_certificate etc.". But this alert is not sent to the peer. I traced with wireshark. The pendingReadableBytesInSSL() method is invoked in OpenSSLEngine.unwrap is invoked and throws the SSLException.
https://www.codatlas.com/github.com/apache/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java The exception is thrown because OpenSSL has already set an error for verification failed. But there is still data (alert data with first byte 21) in BIO that has not been transferred. For my application a clean shutdown is a critical requirement. Is there anything already in discussion about this issue or should i report as a bug? Kind Regards, Rashid Mahmood --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
