Today we're going to talk about SSL Closure Alerts in Internet Explorer. This is usually manifested as the user getting the "Page Cannot Be Displayed" error when connecting to a secure website hosted on a non-Microsoft Web Server. Before we get too deep into the analysis though, it is important to note that this issue cannot be accurately diagnosed without collecting a trace of the behavior.
So what exactly is the SSL Closure Alert? The SSL3 Closure Alert is a 23 byte packet that is sent by several kinds of servers to indicate that the SSL Session is being closed at the server even though the Keep-Alive headers indicate that the socket can be left open. Keep in mind that a "Connection: Keep-alive" header is read and handled at the HTTP protocol level, and not at the TCP level.
The client and the server must share knowledge that the connection is ending in order to avoid a truncation attack. Either party may initiate the exchange of closing messages. This is where the close_notify message comes into play. This message notifies the recipient that the sender will not send any more messages on this connection. The session cannot be resumed if any connection is terminated without proper close_notify messages with level equal to warning.
Either party may initiate a close by sending a close_notify alert. Any data received after a closure alert is ignored. Each party is required to send a close_notify alert before closing the write side of the connection. It is required that the other party respond with a close_notify alert of its own and close down the connection immediately, discarding any pending writes. It is not required for the initiator of the close to wait for the responding close_notify alert before closing the read side of the connection.
This is significant in the case of the close_notify packet because Internet Explorer will read the keep-alive header within the initial server response to keep the socket alive. Unfortunately, when the Server sends the close_notify packet to inform the client that the server is about the close the socket, the packet arrives but does not contain any TCP level flag informing Internet Explorer that the port is being closed (ACK FIN, RESET). Since Internet Explorer is unable to determine that close_notify data is not program data, the port is left open on the client.