Security Issues
You can use the functions RWSecureSocket::setShutdownMode() and RWSecureSocketContext::setShutdownMode() to set the shutdown mode to quiet. This mode instructs the SSL/TLS protocol to ignore CloseNotify messages that are sent by conforming SSL/TLS implementations at the end of a secure session. These functions enable interoperability with many SSL/TLS implementations. Unfortunately, using the quiet shutdown mode compromises security.
For example, the period at the end of the following sentence tells you that the sentence is complete:
“Destroy all documents unless I tell you otherwise.”
The CloseNotify message is equivalent to the period. If your application instructs the SSL/TLS protocol to ignore CloseNotify messages, an attacker could block the second part of the message, and your application would never know it. This type of attack is known as a truncation attack.
For more information about security, see
SSL and TLS - Designing and Building Secure Systems, by Eric Rescorla, referenced in
Appendix B.