Use the SIOCTTLSCTL ioctl with option TTLS_STOP_CONNECTION to stop secure traffic on the TCP connection. The SSL session ends on the connection and the TCP connection returns to cleartext communication. The connection retains the policy mapping, but the connection is in the same state as before a SIOCTTLSCTL ioctl with the TTLS_INIT_CONNECTION option was issued.

Applications that negotiate security can use this option to stop the secure connection. For example, an application negotiates, using cleartext, that a secure session needs to be established. Later, the application performs a separate negotiation to stop the secure connection. After both sides agree to stop security, the application issues the SIOCTTLSCTL ioctl with option TTLS_STOP_CONNECTION. If non-blocking sockets are used, the application can wait for the request to complete by waiting for the socket to become writable. If blocking sockets are used, the ioctl blocks until the request is complete. After the request completes, the connection state is NONSECURE.

The application must clear all application data from the connection before issuing the TTLS_STOP_CONNECTION request. All application data must be read from the socket. If any application data is unread, the TTLS_STOP_CONNECTION request fails with a return code of -1, an errno of Eproto, and an errno junior of JRTTLSStopReadDataPending. The application must read all of the data before the TTLS_STOP_CONNECTION request completes successfully. All application write requests must complete. If any application write requests are not complete, the TTLS_STOP_CONNECTION request fails with a return code of -1, an errno of Eproto, and an errno junior of JRTTLSStopWriteDataPending. The application must wait for all outstanding write requests to complete before the TTLS_STOP_CONNECTION request completes successfully.