fix openssl session resumption, add quiet shutdown option, support FT…

…PS with hostname
pocoproject · Aug 1, 2023 · cd3fca8 · cd3fca8
1 parent aabc890
commit cd3fca8
Show file tree

Hide file tree

Showing 6 changed files with 48 additions and 3 deletions.
diff --git a/Net/include/Poco/Net/FTPClientSession.h b/Net/include/Poco/Net/FTPClientSession.h
@@ -325,6 +325,9 @@ class Net_API FTPClientSession
 		DEFAULT_TIMEOUT = 30000000 // 30 seconds default timeout for socket operations
 	};
 
+	const std::string& getHost() const;
+		/// Returns the host name
+
 	static bool isPositivePreliminary(int status);
 	static bool isPositiveCompletion(int status);
 	static bool isPositiveIntermediate(int status);
@@ -422,6 +425,10 @@ inline const std::string& FTPClientSession::welcomeMessage()
 	return _welcomeMessage;
 }
 
+inline const std::string& FTPClientSession::getHost() const
+{
+	return _host;
+}
 
 } } // namespace Poco::Net
 

diff --git a/NetSSL_OpenSSL/include/Poco/Net/Context.h b/NetSSL_OpenSSL/include/Poco/Net/Context.h
@@ -439,6 +439,21 @@ class NetSSL_API Context: public Poco::RefCountedObject
 	void setSecurityLevel(SecurityLevel level);
 		/// Sets the security level.
 
+	void ignoreUnexpectedEof(bool flag = true);
+		/// Enable or disable SSL/TLS SSL_OP_IGNORE_UNEXPECTED_EOF
+		/// 
+		/// Some TLS implementations do not send the mandatory close_notify alert on shutdown.
+		/// If the application tries to wait for the close_notify alert
+		/// but the peer closes the connection without sending it, an error is generated.
+		/// When this option is enabled the peer does not need to send the close_notify alert
+		/// and a closed connection will be treated as if the close_notify alert was received.
+
+	void setQuietShutdown(bool flag = true);
+		/// Normally, when an SSL connection is finished, the parties must send out close_notify alert messages for a clean shutdown.
+		/// When setting the "quiet shutdown" flag to true, the SecureSocketImpl::shutdown() will set the SSL shutdown flags,
+		/// but no close_notify alert is sent to the peer. This behaviour violates the TLS standard.
+		/// The default is a normal shutdown behaviour as described by the TLS standard.
+
 private:
 	void init(const Params& params);
 		/// Initializes the Context with the given parameters.

diff --git a/NetSSL_OpenSSL/src/Context.cpp b/NetSSL_OpenSSL/src/Context.cpp
@@ -230,6 +230,26 @@ void Context::setSecurityLevel(SecurityLevel level)
 #endif
 }
 
+void Context::ignoreUnexpectedEof(bool flag)
+{
+	if (flag)
+	{
+#if defined(SSL_OP_IGNORE_UNEXPECTED_EOF)
+		SSL_CTX_set_options(_pSSLContext, SSL_OP_IGNORE_UNEXPECTED_EOF);
+#endif
+	}
+	else
+	{
+#if defined(SSL_OP_IGNORE_UNEXPECTED_EOF)
+		SSL_CTX_clear_options(_pSSLContext, SSL_OP_IGNORE_UNEXPECTED_EOF);
+#endif
+	}
+}
+
+void Context::setQuietShutdown(bool flag)
+{
+	SSL_CTX_set_quiet_shutdown(_pSSLContext, flag ? 1 : 0);
+}
 
 void Context::useCertificate(const Poco::Crypto::X509Certificate& certificate)
 {

diff --git a/NetSSL_OpenSSL/src/FTPSClientSession.cpp b/NetSSL_OpenSSL/src/FTPSClientSession.cpp
@@ -96,7 +96,7 @@ void FTPSClientSession::afterCreateControlSocket()
 		try
 		{
 			if (!_pContext) _pContext = Poco::Net::SSLManager::instance().defaultClientContext();
-			Poco::Net::SecureStreamSocket sss(Poco::Net::SecureStreamSocket::attach(*_pControlSocket, _pContext));
+			Poco::Net::SecureStreamSocket sss(Poco::Net::SecureStreamSocket::attach(*_pControlSocket, getHost(), _pContext));
 			*_pControlSocket = sss;
 		}
 		catch (Poco::Exception&)
@@ -125,7 +125,7 @@ StreamSocket FTPSClientSession::establishDataConnection(const std::string& comma
 		Poco::Net::SecureStreamSocketImpl* pSecure = dynamic_cast<Poco::Net::SecureStreamSocketImpl*>(_pControlSocket->impl());
 		if (pSecure != nullptr)
 		{
-			Poco::Net::SecureStreamSocket sss(Poco::Net::SecureStreamSocket::attach(ss, pSecure->context(), pSecure->currentSession()));
+			Poco::Net::SecureStreamSocket sss(Poco::Net::SecureStreamSocket::attach(ss, getHost(), pSecure->context(), pSecure->currentSession()));
 			ss = sss;
 			if (_forceSessionReuse)
 			{

diff --git a/NetSSL_OpenSSL/src/SSLManager.cpp b/NetSSL_OpenSSL/src/SSLManager.cpp
@@ -77,7 +77,8 @@ const bool        SSLManager::VAL_FIPS_MODE(false);
 
 
 SSLManager::SSLManager():
-	_contextIndex(SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL))
+	_contextIndex(SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL)),
+	_socketIndex(SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL))
 {
 }
 
@@ -102,6 +103,7 @@ void SSLManager::shutdown()
 	ServerVerificationError.clear();
 	_ptrDefaultServerContext = 0;
 	_ptrDefaultClientContext = 0;
+	_socketIndex = _contextIndex = -1;
 }
 
 

diff --git a/NetSSL_OpenSSL/testsuite/src/TCPServerTest.cpp b/NetSSL_OpenSSL/testsuite/src/TCPServerTest.cpp
@@ -324,6 +324,7 @@ void TCPServerTest::testReuseSession()
 		9,
 		true,
 		"ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
+	pServerContext->disableProtocols(Context::PROTO_TLSV1_3);
 	pServerContext->enableSessionCache(true, "TestSuite");
 	pServerContext->setSessionTimeout(10);
 	pServerContext->setSessionCacheSize(1000);