fix(security,tls): handle no SSL/TLS shutdown from peer in server

- Handle clearing error queue on SSL_read and SSL_write in `transport.cc` on error.
- Treat `0` and `<0` as errors in SSL_read and SSL_write, use SSL_get_error for retries.
- Bump patch version.

See https://docs.openssl.org/3.1/man3/SSL_read/ for error handling.
See https://docs.openssl.org/3.1/man3/SSL_write/ for error handling.
See #1309 for more details.

Author: dmg0345

include/pistache/peer.h

@@ -24,6 +24,7 @@
 
 #ifdef PISTACHE_USE_SSL
 
+#include <openssl/err.h>
 #include <openssl/ssl.h>
 
 #endif /* PISTACHE_USE_SSL */

src/common/transport.cc

@@ -323,12 +323,29 @@ namespace Pistache::Tcp
                 bytes = SSL_read(reinterpret_cast<SSL*>(peer->ssl()),
                                  buffer + totalBytes,
                                  static_cast<int>(Const::MaxBuffer - totalBytes));
-                if (bytes < 0)
+                if (bytes <= 0)
                 {
                     int ssl_get_error_res = SSL_get_error(
                         reinterpret_cast<SSL*>(peer->ssl()),
                         static_cast<int>(bytes));
-                    retry = (ssl_get_error_res == SSL_ERROR_WANT_READ);
+                    PS_LOG_DEBUG_ARGS("SSL_read err %d, bytes %d", ssl_get_error_res, bytes);
+
+                    switch (ssl_get_error_res)
+                    {
+                    case SSL_ERROR_SYSCALL:
+                    case SSL_ERROR_SSL:
+                        PS_LOG_DEBUG_ARGS("SSL_read clearing error queue, last 0x%08X", ERR_peek_last_error());
+                        ERR_clear_error();
+                        break;
+
+                    case SSL_ERROR_WANT_READ:
+                        bytes = -1; // To force handling of reset in the logic that follows.
+                        retry = true;
+                        break;
+
+                    default:
+                        break;
+                    }
                 }
             }
             else
@@ -723,10 +740,12 @@ namespace Pistache::Tcp
                 PS_LOG_DEBUG_ARGS("SSL_write, len %d", static_cast<int>(len));
 
                 bytesWritten = SSL_write(ssl_, buffer, static_cast<int>(len));
-                if (bytesWritten < 0)
+                if (bytesWritten <= 0)
                 {
                     int ssl_get_error_res = SSL_get_error(
                         ssl_, static_cast<int>(bytesWritten));
+                    PS_LOG_DEBUG_ARGS("SSL_write err %d, bytes %d", ssl_get_error_res, bytesWritten);
+
                     switch (ssl_get_error_res)
                     {
                     case SSL_ERROR_WANT_WRITE:
@@ -744,6 +763,8 @@ namespace Pistache::Tcp
 
                     case SSL_ERROR_SYSCALL:
                     case SSL_ERROR_SSL:
+                        PS_LOG_DEBUG_ARGS("SSL_write clearing error queue, last 0x%08X", ERR_peek_last_error());
+                        ERR_clear_error();
                         errno = EBADF;
                         break;
 

tests/https_server_test.cc

@@ -505,6 +505,59 @@ TEST(https_server_test, basic_tls_request_with_password_cert)
     ASSERT_EQ(buffer, "Hello, World!");
 }
 
+TEST(https_server_test, basic_tls_requests_with_no_shutdown_from_peer)
+{
+    Http::Endpoint server(Address("localhost", Pistache::Port(0)));
+
+    const auto sslctxCallback = +[](CURL* /* curl */, void* sslctx, void* /* parm */) -> CURLcode {
+    // Enable quiet shutdown so that we do not send any shutdown notification to server from peer.
+#if !defined(__APPLE__)
+        // In macOS, setting this flag causes a seg fault intermittently,
+        // seemingly because a bad sslctx is being passed in by
+        // libcurl/openssl. See discussion in:
+        //   https://github.com/pistacheio/pistache/pull/1310
+        // @May/2025.
+        SSL_CTX_set_quiet_shutdown(reinterpret_cast<SSL_CTX*>(sslctx), 1);
+#else
+        (void)sslctx;
+#endif
+        return CURLE_OK;
+    };
+
+    server.init(Http::Endpoint::options().flags(Tcp::Options::ReuseAddr));
+    server.setHandler(Http::make_handler<HelloHandler>());
+    server.useSSL("./certs/server.crt", "./certs/server.key");
+    server.serveThreaded();
+
+    CURL* curl;
+    CURLcode res;
+    std::string buffer;
+
+    curl = curl_easy_init();
+    ASSERT_NE(curl, nullptr);
+
+    const auto url = getServerUrl(server);
+    curl_easy_setopt(curl, CURLOPT_URL, url.c_str());
+    curl_easy_setopt(curl, CURLOPT_CAINFO, "./certs/rootCA.crt");
+    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);
+    curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxCallback);
+    curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, &write_cb);
+    curl_easy_setopt(curl, CURLOPT_WRITEDATA, &buffer);
+    CSO_WIN_REVOKE_BEST_EFFORT;
+
+    // Perform multiple requests with quiet shutdown and ensure they are handled.
+    for (std::size_t req_i = 0U; req_i < 5U; req_i++)
+    {
+        res = curl_easy_perform(curl);
+        EXPECT_EQ(res, CURLE_OK);
+        EXPECT_EQ(buffer, "Hello, World!");
+        buffer.clear();
+    }
+
+    curl_easy_cleanup(curl);
+    server.shutdown();
+}
+
 // MUST be LAST test
 TEST(https_server_test, last_curl_global_cleanup)
 {

version.txt

@@ -1 +1 @@
-0.5.6.20250328
+0.5.7.20250508