august huber wrote:
While performing some integration work with FreeRadius I have hit some barriers in providing meaningful errors to clients during failed SSL (eap_tls) transactions. I was perplexed to discover that all SSL contexts receive SSL_get_quiet_shutdown(ctx,1) called before shutdown. I'm curious about the logic behind this decision; specifically is it targeted to decrease attacker awareness of failure modes or a function of poor client integration causing some platform to barf when it receives a TLS Alert message? If neither, does anyone know how this change made it there?
If I recall, it's because there's no real point in sending anything to the client. The EAP session has already failed. Sending more information as to *why* it failed isn't useful. Having the SSL session hang around waiting to send more data isn't useful either.
Adding a conflg flag seems relatively straightforward for this case to preserve the silent functionality when desired, but wanted to query the list to see if anyone has a strong opinion before I do.
I'm not really sure it's a good idea. Alan DeKok.