-
-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssl: read pending close notify alert before closing the connection #7095
Conversation
This avoids a TCP reset (RST) if the server initiates a connection shutdown by sending an SSL close notify alert and then closes the TCP connection. For SSL connections, usually the server announces that it will close the connection with an SSL close notify alert. curl should read this alert. If curl does not read this alert and just closes the connection, some operating systems close the TCP connection with an RST flag. See RFC 1122, section 4.2.2.13 If curl reads the close notify alert, the TCP connection is closed normally with a FIN flag. The new code is similar to existing code in the "SSL shutdown" function: try to read an alert (non-blocking), and ignore any read errors.
TLS backends This pull request implements a fix for:
I am not sure whether a fix is also needed for:
Probably no fix is needed, because
How to test (on Linux, with the openssl TLS backend)
The Apache HTTP server will send a close notify alert and close the connection after the response because of the header "Connection: close". Without the fix:
With the fix:
The RST/FIN TCP flags can be observed with Wireshark. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see that you don't use whatever is written to buf
. In that case maybe try passing NULL
instead of creating a 32 byte variable. Some functions allow that not sure about those though
It's fine to use buf and probably safer. This still has the issue there is a race condition where the alert may be received after the read call. I think the only way to deal with this correctly is a non-blocking SSL shutdown state that times out after xx seconds. See also #6149. Though this appears to be an improvement. |
The documentation of OpenSSL does not say anything about passing
Thank you for the link to #6149. A non-blocking SSL shutdown state would be difficult to implement. I hope that this improvement is "good enough". |
This avoids a TCP reset (RST) if the server initiates a connection
shutdown by sending an SSL close notify alert and then closes the TCP
connection.
For SSL connections, usually the server announces that it will close the
connection with an SSL close notify alert. curl should read this alert.
If curl does not read this alert and just closes the connection, some
operating systems close the TCP connection with an RST flag.
See RFC 1122, section 4.2.2.13
If curl reads the close notify alert, the TCP connection is closed
normally with a FIN flag.
The new code is similar to existing code in the "SSL shutdown" function:
try to read an alert (non-blocking), and ignore any read errors.