close TLS sockets when they're being removed

which helps prevent OpenSSL confusion.  It doesn't check if the
underlying socket is closed, and instead just returns an error

Author: alandekok

src/include/radiusd.h

@@ -587,6 +587,9 @@ int	fr_bool_auto_parse(CONF_PAIR *cp, fr_bool_auto_t *out, char const *str);
 void listen_free(rad_listen_t **head);
 int listen_init(CONF_SECTION *cs, rad_listen_t **head, bool spawn_flag);
 rad_listen_t *proxy_new_listener(TALLOC_CTX *ctx, home_server_t *home, uint16_t src_port);
+#ifdef WITH_TLS
+void proxy_tls_close(rad_listen_t *listener);
+#endif
 RADCLIENT *client_listener_find(rad_listen_t *listener, fr_ipaddr_t const *ipaddr, uint16_t src_port);
 
 #ifdef WITH_STATS

src/main/process.c

@@ -6297,6 +6297,21 @@ static void event_new_fd(void *ctx)
 		this->dead = true;
 
 	remove_now:
+#ifdef WITH_TLS
+		/*
+		 *	Close it.  Which sets the status to EOL, so we
+		 *	have to update that, too.
+		 *
+		 *	proxy_tls_close also clears this->tls, so it's
+		 *	safe run this check multiple times, as the
+		 *	second time it won't close the same socket.
+		 */
+		if ((this->type == RAD_LISTEN_PROXY) && this->tls) {
+			proxy_tls_close(this);
+			this->status = RAD_LISTEN_STATUS_REMOVE_NOW;
+		}
+#endif
+
 		/*
 		 *      Re-open the socket, pointing it to /dev/null.
 		 *      This means that all writes proceed without

src/main/tls_listen.c

@@ -102,6 +102,15 @@ static void tls_socket_close(rad_listen_t *listener)
 	 */
 }
 
+void proxy_tls_close(rad_listen_t *listener)
+{
+	listen_socket_t *sock = listener->data;
+
+	PTHREAD_MUTEX_LOCK(&sock->mutex);
+	tls_socket_close(listener);
+	PTHREAD_MUTEX_UNLOCK(&sock->mutex);
+}
+
 static void tls_write_available(fr_event_list_t *el, int sock, void *ctx);
 
 /*