require-closure-notification

This command controls whether to log a TLS library error when TLS peers do not send the close_notify alert on shutdown.

Syntax

Require the close_notify alert and log the TLS library error: require-closure-notification on
Do not require the close_notify alert and do not log the TLS library error: require-closure-notification off

Parameters

on: When the TLS peer does not send the close_notify alert, log the TLS library error. This setting is the default value.; Use this setting only when the protocol that is running over TLS can detect a truncation attack itself, and that the application checks for truncation attacks.
off: When the TLS peer does not send the close_notify alert, do not log the TLS library error.

Guidelines

The require-closure-notification command controls whether to log a TLS library error when TLS peers do not send the mandatory close_notify alert on shutdown.

The close_notify alert to end a TLS connection is mandatory to enforce stricter TLS session handling. However, some peers do not send the close_notify alert, which abruptly ends the TLS connection. When a TLS peer abruptly closes a connection and the configuration requires the close_notify alert, the message 0x8120002f is logged with TLS library error 0A000126. This TLS library error indicates an unexpected EOF that might indicate a truncation attack. An unexpected EOF does not always indicate a real problem but does indicate that the connection was terminated.

Attention: Because the server closed the TLS connection incorrectly, some services might return the connection error to the originating client.