TS-2709: ATS does not send close-notify on shutdown.

Author: shinrich

CHANGES

@@ -1,6 +1,8 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache Traffic Server 5.3.0
 
+  *) [TS-2709] ATS does not send close-notify on shutdown. Confuses some clients.
+
   *) [TS-3467] Cleanup tmp files created from traffic_via tests.
 
   *) [TS-3419] Run the source through clang-format. Keep it clean!

iocore/net/P_SSLNetVConnection.h

@@ -113,6 +113,7 @@ class SSLNetVConnection : public UnixNetVConnection
   virtual int64_t load_buffer_and_write(int64_t towrite, int64_t &wattempted, int64_t &total_written, MIOBufferAccessor &buf,
                                         int &needs);
   void registerNextProtocolSet(const SSLNextProtocolSet *);
+  virtual void do_io_close(int lerrno = -1);
 
   ////////////////////////////////////////////////////////////
   // Instances of NetVConnection should be allocated        //

iocore/net/SSLNetVConnection.cc

@@ -762,6 +762,43 @@ SSLNetVConnection::SSLNetVConnection()
 {
 }
 
+void 
+SSLNetVConnection::do_io_close(int lerrno)
+{
+  if (this->ssl != NULL && sslHandShakeComplete) {
+    int new_shutdown_mode = 0, shutdown_mode = 0;
+    if (this->lerrno < 0) {
+      new_shutdown_mode = SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN;
+    } else {
+      shutdown_mode = SSL_get_shutdown(ssl);
+      Debug("ssl-shutdown", "previous shutdown state 0x%x", shutdown_mode);
+      new_shutdown_mode = shutdown_mode | SSL_RECEIVED_SHUTDOWN;
+    }
+    if (new_shutdown_mode != shutdown_mode) {
+      // We do not need to sit around and wait for the client's close-notify if
+      // they have not already sent it.  We will still be standards compliant
+      Debug("ssl-shutdown", "new SSL_set_shutdown 0x%x", new_shutdown_mode);
+      SSL_set_shutdown(ssl, new_shutdown_mode);
+    }
+
+    // If the peer has already sent a FIN, don't bother with the shutdown
+    // They will just send us a RST for our troubles
+    // This test is not foolproof.  The client's fin could be on the wire 
+    // at the same time we send the close-notify.  If so, the client will likely
+    // send RST anyway
+    char c;
+    ssize_t x = recv(this->con.fd, &c, 1, MSG_PEEK);
+    // x < 0 means error.  x == 0 means fin sent
+    if (x != 0) {
+      // Send the close-notify
+      int ret = SSL_shutdown(ssl);
+      Debug("ssl-shutdown", "SSL_shutdown %s", (ret)?"success":"failed");
+    }
+  }
+  // Go on and do the unix socket cleanups
+  super::do_io_close(lerrno);
+}
+
 void
 SSLNetVConnection::free(EThread *t)
 {
@@ -780,8 +817,6 @@ SSLNetVConnection::free(EThread *t)
   closed = 0;
   ink_assert(con.fd == NO_FD);
   if (ssl != NULL) {
-    /*if (sslHandShakeComplete)
-       SSL_set_shutdown(ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); */
     SSL_free(ssl);
     ssl = NULL;
   }

iocore/net/SSLUtils.cc

@@ -1238,8 +1238,6 @@ SSLInitServerContext(const SSLConfigParams *params, const ssl_user_config &sslMu
   SSL_CTX_set_options(ctx, SSL_OP_SAFARI_ECDHE_ECDSA_BUG);
 #endif
 
-  SSL_CTX_set_quiet_shutdown(ctx, 1);
-
   // pass phrase dialog configuration
   passphrase_cb_userdata ud(params, sslMultCertSettings.dialog, sslMultCertSettings.first_cert, sslMultCertSettings.key);