SSL_shutdown.pod 19 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439
  1. =pod
  2. =head1 NAME
  3. SSL_shutdown, SSL_shutdown_ex - shut down a TLS/SSL or QUIC connection
  4. =head1 SYNOPSIS
  5. #include <openssl/ssl.h>
  6. int SSL_shutdown(SSL *ssl);
  7. typedef struct ssl_shutdown_ex_args_st {
  8. uint64_t quic_error_code;
  9. const char *quic_reason;
  10. } SSL_SHUTDOWN_EX_ARGS;
  11. __owur int SSL_shutdown_ex(SSL *ssl, uint64_t flags,
  12. const SSL_SHUTDOWN_EX_ARGS *args,
  13. size_t args_len);
  14. =head1 DESCRIPTION
  15. SSL_shutdown() shuts down an active connection represented by an SSL object.
  16. SSL_shutdown_ex() is an extended version of SSL_shutdown(). If non-NULL, I<args>
  17. must point to a B<SSL_SHUTDOWN_EX_ARGS> structure and I<args_len> must be set to
  18. C<sizeof(SSL_SHUTDOWN_EX_ARGS)>. The B<SSL_SHUTDOWN_EX_ARGS> structure must be
  19. zero-initialized. If I<args> is NULL, the behaviour is the same as passing a
  20. zero-initialised B<SSL_SHUTDOWN_EX_ARGS> structure. Currently, all extended
  21. arguments relate to usage with QUIC, therefore this call functions identically
  22. to SSL_shutdown() when not being used with QUIC.
  23. While the general operation of SSL_shutdown() is common between protocols, the
  24. exact nature of how a shutdown is performed depends on the underlying protocol
  25. being used. See the section below pertaining to each protocol for more
  26. information.
  27. In general, calling SSL_shutdown() in nonblocking mode will initiate the
  28. shutdown process and return 0 to indicate that the shutdown process has not yet
  29. completed. Once the shutdown process has completed, subsequent calls to
  30. SSL_shutdown() will return 1. See the RETURN VALUES section for more
  31. information.
  32. SSL_shutdown() should not be called if a previous fatal error has occurred on a
  33. connection; i.e., if L<SSL_get_error(3)> has returned B<SSL_ERROR_SYSCALL> or
  34. B<SSL_ERROR_SSL>.
  35. =head1 TLS AND DTLS-SPECIFIC CONSIDERATIONS
  36. Shutdown for SSL/TLS and DTLS is implemented in terms of the SSL/TLS/DTLS
  37. close_notify alert message. The shutdown process for SSL/TLS and DTLS
  38. consists of two steps:
  39. =over 4
  40. =item *
  41. A close_notify shutdown alert message is sent to the peer.
  42. =item *
  43. A close_notify shutdown alert message is received from the peer.
  44. =back
  45. These steps can occur in either order depending on whether the connection
  46. shutdown process was first initiated by the local application or by the peer.
  47. =head2 Locally-Initiated Shutdown
  48. Calling SSL_shutdown() on a SSL/TLS or DTLS SSL object initiates the shutdown
  49. process and causes OpenSSL to try to send a close_notify shutdown alert to the
  50. peer. The shutdown process will then be considered completed once the peer
  51. responds in turn with a close_notify shutdown alert message.
  52. Calling SSL_shutdown() only closes the write direction of the connection; the
  53. read direction is closed by the peer. Once SSL_shutdown() is called,
  54. L<SSL_write(3)> can no longer be used, but L<SSL_read(3)> may still be used
  55. until the peer decides to close the connection in turn. The peer might
  56. continue sending data for some period of time before handling the local
  57. application's shutdown indication.
  58. SSL_shutdown() does not affect an underlying network connection such as a TCP
  59. connection, which remains open.
  60. =head2 Remotely-Initiated Shutdown
  61. If the peer was the first to initiate the shutdown process by sending a
  62. close_notify alert message, an application will be notified of this as an EOF
  63. condition when calling
  64. L<SSL_read(3)> (i.e., L<SSL_read(3)> will fail and L<SSL_get_error(3)> will
  65. return B<SSL_ERROR_ZERO_RETURN>), after all application data sent by the peer
  66. prior to initiating the shutdown has been read. An application should handle
  67. this condition by calling SSL_shutdown() to respond with a close_notify alert in
  68. turn, completing the shutdown process, though it may choose to write additional
  69. application data using L<SSL_write(3)> before doing so. If an application does
  70. not call SSL_shutdown() in this case, a close_notify alert will not be sent and
  71. the behaviour will not be fully standards compliant.
  72. =head2 Shutdown Lifecycle
  73. Regardless of whether a shutdown was initiated locally or by the peer, if the
  74. underlying BIO is blocking, a call to SSL_shutdown() will return firstly once a
  75. close_notify alert message is written to the peer (returning 0), and upon a
  76. second and subsequent call, once a corresponding message is received from the
  77. peer (returning 1 and completing the shutdown process). Calls to SSL_shutdown()
  78. with a blocking underlying BIO will also return if an error occurs.
  79. If the underlying BIO is nonblocking and the shutdown process is not yet
  80. complete (for example, because a close_notify alert message has not yet been
  81. received from the peer, or because a close_notify alert message needs to be sent
  82. but would currently block), SSL_shutdown() returns 0 to indicate that the
  83. shutdown process is still ongoing; in this case, a call to L<SSL_get_error(3)>
  84. will yield B<SSL_ERROR_WANT_READ> or B<SSL_ERROR_WANT_WRITE>.
  85. An application can then detect completion of the shutdown process by calling
  86. SSL_shutdown() again repeatedly until it returns 1, indicating that the shutdown
  87. process is complete (with a close_notify alert having both been sent and
  88. received).
  89. However, the preferred method of waiting for the shutdown to complete is to use
  90. L<SSL_read(3)> until L<SSL_get_error(3)> indicates EOF by returning
  91. B<SSL_ERROR_ZERO_RETURN>. This ensures any data received immediately before the
  92. peer's close_notify alert is still provided to the application. It also ensures
  93. any final handshake-layer messages received are processed (for example, messages
  94. issuing new session tickets).
  95. If this approach is not used, the second call to SSL_shutdown() (to complete the
  96. shutdown by confirming receipt of the peer's close_notify message) will fail if
  97. it is called when the application has not read all pending application data
  98. sent by the peer using L<SSL_read(3)>.
  99. When calling SSL_shutdown(), the B<SSL_SENT_SHUTDOWN> flag is set once an
  100. attempt is made to send a close_notify alert, regardless of whether the attempt
  101. was successful. The B<SSL_RECEIVED_SHUTDOWN> flag is set once a close_notify
  102. alert is received, which may occur during any call which processes incoming data
  103. from the network, such as L<SSL_read(3)> or SSL_shutdown(). These flags
  104. may be checked using L<SSL_get_shutdown(3)>.
  105. =head2 Fast Shutdown
  106. Alternatively, it is acceptable for an application to call SSL_shutdown() once
  107. (such that it returns 0) and then close the underlying connection without
  108. waiting for the peer's response. This allows for a more rapid shutdown process
  109. if the application does not wish to wait for the peer.
  110. This alternative "fast shutdown" approach should only be done if it is known
  111. that the peer will not send more data, otherwise there is a risk of an
  112. application exposing itself to a truncation attack. The full SSL_shutdown()
  113. process, in which both parties send close_notify alerts and SSL_shutdown()
  114. returns 1, provides a cryptographically authenticated indication of the end of a
  115. connection.
  116. This approach of a single SSL_shutdown() call without waiting is preferable to
  117. simply calling L<SSL_free(3)> or L<SSL_clear(3)> as calling SSL_shutdown()
  118. beforehand makes an SSL session eligible for subsequent reuse and notifies the
  119. peer of connection shutdown.
  120. The fast shutdown approach can only be used if there is no intention to reuse
  121. the underlying connection (e.g. a TCP connection) for further communication; in
  122. this case, the full shutdown process must be performed to ensure
  123. synchronisation.
  124. =head2 Effects on Session Reuse
  125. Calling SSL_shutdown() sets the SSL_SENT_SHUTDOWN flag (see
  126. L<SSL_set_shutdown(3)>), regardless of whether the transmission of the
  127. close_notify alert was successful or not. This makes the SSL session eligible
  128. for reuse; the SSL session is considered properly closed and can be reused for
  129. future connections.
  130. =head2 Quiet Shutdown
  131. SSL_shutdown() can be modified to set the connection to the "shutdown"
  132. state without actually sending a close_notify alert message; see
  133. L<SSL_CTX_set_quiet_shutdown(3)>. When "quiet shutdown" is enabled,
  134. SSL_shutdown() will always succeed and return 1 immediately.
  135. This is not standards-compliant behaviour. It should only be done when the
  136. application protocol in use enables the peer to ensure that all data has been
  137. received, such that it doesn't need to wait for a close_notify alert, otherwise
  138. application data may be truncated unexpectedly.
  139. =head2 Non-Compliant Peers
  140. There are SSL/TLS implementations that never send the required close_notify
  141. alert message but simply close the underlying transport (e.g. a TCP connection)
  142. instead. This will ordinarily result in an error being generated.
  143. If compatibility with such peers is desired, the option
  144. B<SSL_OP_IGNORE_UNEXPECTED_EOF> can be set. For more information, see
  145. L<SSL_CTX_set_options(3)>.
  146. Note that use of this option means that the EOF condition for application data
  147. does not receive cryptographic protection, and therefore renders an application
  148. potentially vulnerable to truncation attacks. Thus, this option must only be
  149. used in conjunction with an application protocol which indicates unambiguously
  150. when all data has been received.
  151. An alternative approach is to simply avoid calling L<SSL_read(3)> if it is known
  152. that no more data is going to be sent. This requires an application protocol
  153. which indicates unambiguously when all data has been sent.
  154. =head2 Session Ticket Handling
  155. If a client application only writes to a SSL/TLS or DTLS connection and never
  156. reads, OpenSSL may never process new SSL/TLS session tickets sent by the server.
  157. This is because OpenSSL ordinarily processes handshake messages received from a
  158. peer during calls to L<SSL_read(3)> by the application.
  159. Therefore, client applications which only write and do not read but which wish
  160. to benefit from session resumption are advised to perform a complete shutdown
  161. procedure by calling SSL_shutdown() until it returns 1, as described above. This
  162. will ensure there is an opportunity for SSL/TLS session ticket messages to be
  163. received and processed by OpenSSL.
  164. =head1 QUIC-SPECIFIC SHUTDOWN CONSIDERATIONS
  165. When used with a QUIC connection SSL object, SSL_shutdown() initiates a QUIC
  166. immediate close using QUIC B<CONNECTION_CLOSE> frames.
  167. SSL_shutdown() cannot be used on QUIC stream SSL objects. To conclude a stream
  168. normally, see L<SSL_stream_conclude(3)>; to perform a non-normal stream
  169. termination, see L<SSL_stream_reset(3)>.
  170. SSL_shutdown_ex() may be used instead of SSL_shutdown() by an application to
  171. provide additional information to the peer on the reason why a connection is
  172. being shut down. The information which can be provided is as follows:
  173. =over 4
  174. =item I<quic_error_code>
  175. An optional 62-bit application error code to be signalled to the peer. The value
  176. must be in the range [0, 2**62-1], else the call to SSL_shutdown_ex() fails. If
  177. not provided, an error code of 0 is used by default.
  178. =item I<quic_reason>
  179. An optional zero-terminated (UTF-8) reason string to be signalled to the peer.
  180. The application is responsible for providing a valid UTF-8 string and OpenSSL
  181. will not validate the string. If a reason is not provided, or SSL_shutdown() is
  182. used, a zero-length string is used as the reason. If provided, the reason string
  183. is copied and stored inside the QUIC connection SSL object and need not remain
  184. allocated after the call to SSL_shutdown_ex() returns. Reason strings are
  185. bounded by the path MTU and may be silently truncated if they are too long to
  186. fit in a QUIC packet.
  187. Reason strings are intended for human diagnostic purposes only, and should not
  188. be used for application signalling.
  189. =back
  190. The arguments to SSL_shutdown_ex() are used only on the first call to
  191. SSL_shutdown_ex() (or SSL_shutdown()) for a given QUIC connection SSL object.
  192. These arguments are ignored on subsequent calls.
  193. These functions do not affect an underlying network BIO or the resource it
  194. represents; for example, a UDP datagram provided to a QUIC connection as the
  195. network BIO will remain open.
  196. Note that when using QUIC, an application must call SSL_shutdown() if it wants
  197. to ensure that all transmitted data was received by the peer. This is unlike a
  198. TLS/TCP connection, where reliable transmission of buffered data is the
  199. responsibility of the operating system. If an application calls SSL_free() on a
  200. QUIC connection SSL object or exits before completing the shutdown process using
  201. SSL_shutdown(), data which was written by the application using SSL_write(), but
  202. could not yet be transmitted, or which was sent but lost in the network, may not
  203. be received by the peer.
  204. When using QUIC, calling SSL_shutdown() allows internal network event processing
  205. to be performed. It is important that this processing is performed regularly,
  206. whether during connection usage or during shutdown. If an application is not
  207. using thread assisted mode, an application conducting shutdown should either
  208. ensure that SSL_shutdown() is called regularly, or alternatively ensure that
  209. SSL_handle_events() is called regularly. See L<openssl-quic(7)> and
  210. L<SSL_handle_events(3)> for more information.
  211. =head2 Application Data Drainage Behaviour
  212. When using QUIC, SSL_shutdown() or SSL_shutdown_ex() ordinarily waits until all
  213. data written to a stream by an application has been acknowledged by the peer. In
  214. other words, the shutdown process waits until all data written by the
  215. application has been sent to the peer, and until the receipt of all such data is
  216. acknowledged by the peer. Only once this process is completed is the shutdown
  217. considered complete.
  218. An exception to this is streams which terminated in a non-normal fashion, for
  219. example due to a stream reset; only streams which are non-terminated at the time
  220. SSL_shutdown() is called, or which terminated in a normal fashion, have their
  221. pending send buffers flushed in this manner.
  222. This behaviour of flushing streams during the shutdown process can be skipped by
  223. setting the B<SSL_SHUTDOWN_FLAG_NO_STREAM_FLUSH> flag in a call to
  224. SSL_shutdown_ex(); in this case, data remaining in stream send buffers may not
  225. be transmitted to the peer. This flag may be used when a non-normal application
  226. condition has occurred and the delivery of data written to streams via
  227. L<SSL_write(3)> is no longer relevant.
  228. =head2 Shutdown Mode
  229. Aspects of how QUIC handles connection closure must be taken into account by
  230. applications. Ordinarily, QUIC expects a connection to continue to be serviced
  231. for a substantial period of time after it is nominally closed. This is necessary
  232. to ensure that any connection closure notification sent to the peer was
  233. successfully received. However, a consequence of this is that a fully
  234. RFC-compliant QUIC connection closure process could take of the order of
  235. seconds. This may be unsuitable for some applications, such as short-lived
  236. processes which need to exit immediately after completing an application-layer
  237. transaction.
  238. As such, there are two shutdown modes available to users of QUIC connection SSL
  239. objects:
  240. =over 4
  241. =item RFC compliant shutdown mode
  242. This is the default behaviour. The shutdown process may take a period of time up
  243. to three times the current estimated RTT to the peer. It is possible for the
  244. closure process to complete much faster in some circumstances but this cannot be
  245. relied upon.
  246. In blocking mode, the function will return once the closure process is complete.
  247. In nonblocking mode, SSL_shutdown_ex() should be called until it returns 1,
  248. indicating the closure process is complete and the connection is now fully shut
  249. down.
  250. =item Rapid shutdown mode
  251. In this mode, the peer is notified of connection closure on a best effort basis
  252. by sending a single QUIC packet. If that QUIC packet is lost, the peer will not
  253. know that the connection has terminated until the negotiated idle timeout (if
  254. any) expires.
  255. This will generally return 0 on success, indicating that the connection has not
  256. yet been fully shut down (unless it has already done so, in which case it will
  257. return 1).
  258. =back
  259. If B<SSL_SHUTDOWN_FLAG_RAPID> is specified in I<flags>, a rapid shutdown is
  260. performed, otherwise an RFC-compliant shutdown is performed.
  261. If an application calls SSL_shutdown_ex() with B<SSL_SHUTDOWN_FLAG_RAPID>, an
  262. application can subsequently change its mind about performing a rapid shutdown
  263. by making a subsequent call to SSL_shutdown_ex() without the flag set.
  264. =head2 Peer-Initiated Shutdown
  265. In some cases, an application may wish to wait for a shutdown initiated by the
  266. peer rather than triggered locally. To do this, call SSL_shutdown_ex() with
  267. I<SSL_SHUTDOWN_FLAG_WAIT_PEER> specified in I<flags>. In blocking mode, this
  268. waits until the peer initiates a shutdown or the connection otherwise becomes
  269. terminated for another reason. In nonblocking mode it exits immediately with
  270. either success or failure depending on whether a shutdown has occurred.
  271. If a locally initiated shutdown has already been triggered or the connection has
  272. started terminating for another reason, this flag has no effect.
  273. B<SSL_SHUTDOWN_FLAG_WAIT_PEER> implies B<SSL_SHUTDOWN_FLAG_NO_STREAM_FLUSH>, as
  274. stream data cannot be flushed after a peer closes the connection. Stream data
  275. may still be sent to the peer in any time spent waiting before the peer closes
  276. the connection, though there is no guarantee of this.
  277. =head2 Nonblocking Mode
  278. SSL_shutdown() and SSL_shutdown_ex() block if the connection is configured in
  279. blocking mode. This may be overridden by specifying
  280. B<SSL_SHUTDOWN_FLAG_NO_BLOCK> in I<flags> when calling SSL_shutdown_ex(), which
  281. causes the call to operate as though in nonblocking mode.
  282. =head1 RETURN VALUES
  283. For both SSL_shutdown() and SSL_shutdown_ex() the following return values can occur:
  284. =over 4
  285. =item Z<>0
  286. The shutdown process is ongoing and has not yet completed.
  287. For TLS and DTLS, this means that a close_notify alert has been sent but the
  288. peer has not yet replied in turn with its own close_notify.
  289. For QUIC connection SSL objects, a CONNECTION_CLOSE frame may have been
  290. sent but the connection closure process has not yet completed.
  291. Unlike most other functions, returning 0 does not indicate an error.
  292. L<SSL_get_error(3)> should not be called; it may misleadingly indicate an error
  293. even though no error occurred.
  294. =item Z<>1
  295. The shutdown was successfully completed.
  296. For TLS and DTLS, this means that a close_notify alert was sent and the peer's
  297. close_notify alert was received.
  298. For QUIC connection SSL objects, this means that the connection closure process
  299. has completed.
  300. =item E<lt>0
  301. The shutdown was not successful.
  302. Call L<SSL_get_error(3)> with the return value B<ret> to find out the reason.
  303. It can occur if an action is needed to continue the operation for nonblocking
  304. BIOs.
  305. It can also occur when not all data was read using SSL_read(), or if called
  306. on a QUIC stream SSL object.
  307. This value is also returned when called on QUIC stream SSL objects.
  308. =back
  309. =head1 SEE ALSO
  310. L<SSL_get_error(3)>, L<SSL_connect(3)>,
  311. L<SSL_accept(3)>, L<SSL_set_shutdown(3)>,
  312. L<SSL_CTX_set_quiet_shutdown(3)>, L<SSL_CTX_set_options(3)>
  313. L<SSL_clear(3)>, L<SSL_free(3)>,
  314. L<ssl(7)>, L<bio(7)>
  315. =head1 HISTORY
  316. The SSL_shutdown_ex() function was added in OpenSSL 3.2.
  317. =head1 COPYRIGHT
  318. Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
  319. Licensed under the Apache License 2.0 (the "License"). You may not use
  320. this file except in compliance with the License. You can obtain a copy
  321. in the file LICENSE in the source distribution or at
  322. L<https://www.openssl.org/source/license.html>.
  323. =cut