From 36d75df56bfe03f7b25472e1fd5cfa4b389c33b4 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 20 Mar 2026 20:42:10 +0100 Subject: [PATCH] Revert "ssl_server2.c: DTLS: Attempt to read the response to the close notification" This reverts commit 0a8c35d273257d7102ef8af1e351fa9c7bb688d9. Signed-off-by: Ronald Cron --- programs/ssl/ssl_server2.c | 50 +------------------ tests/compat.sh | 1 - tests/scripts/components-configuration-tls.sh | 1 - 3 files changed, 1 insertion(+), 51 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index b01fcfcb05..82c01e1168 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -4235,55 +4235,7 @@ close_notify: } while (ret == MBEDTLS_ERR_SSL_WANT_WRITE); ret = 0; - /* - * In the DTLS case, attempt to read a possible response to the close - * notification. This avoids reconnecting to the same client when we - * reset and later receive its close-notification response during - * step 3 (waiting for a client to connect). - * - * Stop waiting for the response if the connection has already ended. - * - * The waiting loop below relies on mbedtls_ssl_read() returning regularly - * in order to keep the total waiting time approximately bounded to 1s. If - * no read timeout is configured (see the read_timeout option), or if the - * configured timeout is close to or larger than 1s, the total waiting time - * may exceed 1s by a significant margin. - */ -#if defined(MBEDTLS_SSL_PROTO_DTLS) && defined(MBEDTLS_HAVE_TIME) - if (opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { - mbedtls_ms_time_t start = mbedtls_ms_time(); - for (;;) { - ret = mbedtls_ssl_read(&ssl, buf, opt.buffer_size); - /* - * mbedtls_ssl_read() returned some data or timed out, loop if we - * have not spent already too much time, quite arbitrarily 1s. - */ - if ((ret > 0) || (ret == MBEDTLS_ERR_SSL_TIMEOUT)) { - if ((mbedtls_ms_time() - start) < 1000) { - continue; - } - } - - if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) { - mbedtls_printf(" done, received client close notification.\n"); - } else { - /* ret = 0, silent transport EOF or ret < 0 except - * MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY. Note that we do not - * handle specifically the non-fatal error codes like - * MBEDTLS_ERR_SSL_WANT_READ as we do not really expect them - * here. - */ - mbedtls_printf(" done\n"); - } - break; - } - ret = 0; - } else -#endif /* MBEDTLS_SSL_PROTO_DTLS && MBEDTLS_HAVE_TIME */ - { - mbedtls_printf(" done\n"); - } - fflush(stdout); + mbedtls_printf(" done\n"); #if defined(MBEDTLS_SSL_CACHE_C) if (opt.cache_remove > 0) { diff --git a/tests/compat.sh b/tests/compat.sh index 1bbed59929..22da5ee4ed 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -660,7 +660,6 @@ setup_arguments() # with OpenSSL 1.0.1h, -www, -WWW and -HTTP break DTLS handshakes if is_dtls "$MODE"; then O_SERVER_ARGS="$O_SERVER_ARGS" - M_SERVER_ARGS="$M_SERVER_ARGS read_timeout=1000" else O_SERVER_ARGS="$O_SERVER_ARGS -www" fi diff --git a/tests/scripts/components-configuration-tls.sh b/tests/scripts/components-configuration-tls.sh index 731f695bd5..78a6a8ffbe 100644 --- a/tests/scripts/components-configuration-tls.sh +++ b/tests/scripts/components-configuration-tls.sh @@ -385,7 +385,6 @@ component_test_tls1_2_ccm_psk_psa () { component_test_tls1_2_ccm_psk_dtls_legacy () { msg "build: configs/config-ccm-psk-dtls1_2.h" cp configs/config-ccm-psk-dtls1_2.h "$CONFIG_H" - scripts/config.py set MBEDTLS_HAVE_TIME # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake # want to re-generate generated files that depend on it, quite correctly. # However this doesn't work as the generation script expects a specific