From 566dc5545bb4c55fdfd883ffa3bdcd6485f6f80e Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Fri, 19 Oct 2012 20:52:18 +0200
Subject: [PATCH] MINOR: ssl: improve socket behaviour upon handshake abort.

While checking haproxy's SSL stack with www.ssllabs.com, it appeared that
immediately closing upon a failed handshake caused a TCP reset to be emitted.
This is because OpenSSL does not consume pending data in the socket buffers.
One side effect is that if the reset packet is lost, the client might not get
it. So now when a handshake fails, we try to clean the socket buffers before
closing, resulting in a clean FIN instead of an RST.
---
 src/ssl_sock.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f5e68b1d3..9c60679cb 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -856,6 +856,12 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag)
 		}
 		else {
 			/* Fail on all other handshake errors */
+			/* Note: OpenSSL may leave unread bytes in the socket's
+			 * buffer, causing an RST to be emitted upon close() on
+			 * TCP sockets. We first try to drain possibly pending
+			 * data to avoid this as much as possible.
+			 */
+			ret = recv(conn->t.sock.fd, trash, trashlen, MSG_NOSIGNAL|MSG_DONTWAIT);
 			goto out_error;
 		}
 	}