Security considerations for SSL_get_quiet_shutdown
august.huber at gmail.com
Wed Jun 13 14:21:18 CEST 2012
While performing some integration work with FreeRadius I have hit some
barriers in providing meaningful errors to clients during failed SSL
(eap_tls) transactions. I was perplexed to discover that all SSL contexts
receive SSL_get_quiet_shutdown(ctx,1) called before shutdown. I'm curious
about the logic behind this decision; specifically is it targeted to
decrease attacker awareness of failure modes or a function of poor client
integration causing some platform to barf when it receives a TLS Alert
message? If neither, does anyone know how this change made it there?
Adding a conflg flag seems relatively straightforward for this case to
preserve the silent functionality when desired, but wanted to query the
list to see if anyone has a strong opinion before I do.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Freeradius-Devel