Security considerations for SSL_get_quiet_shutdown
Alan DeKok
aland at deployingradius.com
Wed Jun 13 14:53:31 CEST 2012
august huber wrote:
> While performing some integration work with FreeRadius I have hit some
> barriers in providing meaningful errors to clients during failed SSL
> (eap_tls) transactions. I was perplexed to discover that all SSL
> contexts receive SSL_get_quiet_shutdown(ctx,1) called before shutdown.
> I'm curious about the logic behind this decision; specifically is it
> targeted to decrease attacker awareness of failure modes or a function
> of poor client integration causing some platform to barf when it
> receives a TLS Alert message? If neither, does anyone know how this
> change made it there?
If I recall, it's because there's no real point in sending anything to
the client. The EAP session has already failed. Sending more
information as to *why* it failed isn't useful.
Having the SSL session hang around waiting to send more data isn't
useful either.
> Adding a conflg flag seems relatively straightforward for this case to
> preserve the silent functionality when desired, but wanted to query the
> list to see if anyone has a strong opinion before I do.
I'm not really sure it's a good idea.
Alan DeKok.
More information about the Freeradius-Devel
mailing list