A secure SSL/TLS connection requires a proper shutdown process to securely indicate the [@https://en.wikipedia.org/wiki/End-of-file ['EOF]] condition. This process prevents a type of attack known as a [@https://en.wikipedia.org/wiki/Transport_Layer_Security#Truncation_attack ['truncation attack]] in which an attacker can close the underlying transport layer and control the length of the last message in the SSL/TLS connection. A shutdown process consists of exchanging `close_notify` message between two parties. In __Asio__ these steps happen by calling `shutdown()` or `async_shutdown()` on `ssl::stream` object.
There are SSL/TLS implementations that don't perform a proper shutdown process and simply close the underlying transport layer instead. As a result, the EOF condition in these applications is not cryptographically secure and should not be relied upon. However, there are scenarios where an HTTPS client or server doesn't need EOF for determining the end of the last message:
In such scenarios, `http::read` or `http::async_read` operations succeed as they don't need EOF to complete. However, the next operation on the stream would fail with an [@boost:/doc/html/boost_asio/reference/ssl__error__stream_errors.html `net::ssl::error::stream_truncated`] error.
This is a rare case and indeed a security issue when HTTPS servers don't perform a proper SSL/TLS shutdown procedure and send an HTTP response message that relies on EOF to determine the end of the body. This is a security concern because without an SSL/TLS shutdown procedure, the EOF is not cryptographically secure, leaving the message body vulnerable to truncation attacks.