Skip to content

proposal: crypto/tls: closeNotify failure should be a well-known error type for easy exclusion #75600

New issue
New issue
Open
Open
proposal: crypto/tls: closeNotify failure should be a well-known error type for easy exclusion#75600
Labels
LibraryProposalIssues describing a requested change to the Go standard library or x/ libraries, but not to a toolProposalProposal-CryptoProposal related to crypto packages or other security issues
Milestone
Proposal
@oakad

Description

@oakad
oakad
opened on Sep 25, 2025

Proposal Details

In many cases, servers don't wait for TLS closeNotify from the client. For example, both MySQL and PostgreSQL will sometime drop the connection the moment appropriate "disconnect" command is received, without waiting for further comms from the client (this is a deliberate implementation choice, given that all the messages are length prefixed and such).

Right now, failure to "closeNotify" is a free form error:

go/src/crypto/tls/conn.go

Line 1443 in f15cd63

alertErr = fmt.Errorf("tls: failed to send closeNotify alert (but connection was closed anyway): %w", err)

It will be substantially safer to make it a named error type, so in cases where client knows, that server can drop the connection, it can be easily suppressed with errors.Is without relying on unsafe string matching.

Metadata

Metadata

Assignees

No one assigned

    Labels

    LibraryProposalIssues describing a requested change to the Go standard library or x/ libraries, but not to a toolProposalProposal-CryptoProposal related to crypto packages or other security issues

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions