2 files changed, 14 insertions, 8 deletions

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index b7b6570ff9..d942c35fec 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.8 2015/03/31 12:21:27 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.9 2015/04/02 13:19:15 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -326,12 +326,15 @@ tls_write(struct tls *ctx, const void *buf, size_t buflen, size_t *outlen)
 int
 tls_close(struct tls *ctx)
 {
-        /* XXX - handle case where multiple calls are required. */
+        int ssl_ret;
+
         if (ctx->ssl_conn != NULL) {
-                if (SSL_shutdown(ctx->ssl_conn) == -1) {
-                        tls_set_error(ctx, "SSL shutdown failed");
-                        goto err;
-                }
+                ssl_ret = SSL_shutdown(ctx->ssl_conn);
+                if (ssl_ret == 0)
+                        ssl_ret = SSL_shutdown(ctx->ssl_conn);
+                if (ssl_ret < 0)
+                        return tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret,
+                            "shutdown");
         }
 
         if (ctx->socket != -1) {
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3
index 8df1d204ff..1ec8865075 100644
--- a/src/lib/libtls/tls_init.3
+++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.21 2015/04/02 05:54:22 jsing Exp $
+.\" $OpenBSD: tls_init.3,v 1.22 2015/04/02 13:19:15 jsing Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -407,6 +407,7 @@ will return 0 on success and -1 on error.
 Functions that return a pointer will return NULL on error.
 .Pp
 The
+.Fn tls_close ,
 .Fn tls_read
 and
 .Fn tls_write
@@ -424,8 +425,10 @@ A write operation is necessary to continue.
 .El
 .Pp
 The caller should call the appropriate function, or in the case of the
+.Fn tls_close
+and the
 .Fn tls_accept
-or
+and
 .Fn tls_connect
 function families, repeat the call.
 .Sh ERRORS