Security considerations for SSL_get_quiet_shutdown

Alan DeKok aland at
Wed Jun 13 14:53:31 CEST 2012

august huber wrote:
> While performing some integration work with FreeRadius I have hit some
> barriers in providing meaningful errors to clients during failed SSL
> (eap_tls) transactions.  I was perplexed to discover that all SSL
> contexts receive SSL_get_quiet_shutdown(ctx,1) called before shutdown. 
> I'm curious about the logic behind this decision; specifically is it
> targeted to decrease attacker awareness of failure modes or a function
> of poor client integration causing some platform to barf when it
> receives a TLS Alert message?  If neither, does anyone know how this
> change made it there?

  If I recall, it's because there's no real point in sending anything to
the client.  The EAP session has already failed.  Sending more
information as to *why* it failed isn't useful.

  Having the SSL session hang around waiting to send more data isn't
useful either.

> Adding a conflg flag seems relatively straightforward for this case to
> preserve the silent functionality when desired, but wanted to query the
> list to see if anyone has a strong opinion before I do.

  I'm not really sure it's a good idea.

  Alan DeKok.

More information about the Freeradius-Devel mailing list