-
Notifications
You must be signed in to change notification settings - Fork 605
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When accepting new TLS connection with Accepted::into_connection(config) no TLS alert is sent #1792
Comments
I spent some time looking at this on Saturday. It's not obvious to me why this happens from looking at the |
Is it because |
Hmm, yes. So if an error occurs in So I think this is technically an error in your code, but it's also a bit of a pitfall with the |
If an alert is queued for sending during |
Ahh, that's fair. |
I suppose the |
Would a following change in diff --git a/rustls/src/server/server_conn.rs b/rustls/src/server/server_conn.rs
index fe1569ca..80d4d194 100644
--- a/rustls/src/server/server_conn.rs
+++ b/rustls/src/server/server_conn.rs
@@ -798,9 +798,9 @@ impl Accepted {
Self::client_hello_payload(&self.message),
&self.message,
&mut cx,
- )?;
+ );
- self.connection.replace_state(new);
+ self.connection.core.state = new;
Ok(ServerConnection {
inner: self.connection,
}) At least it seems to handle the error case properly. Calling |
Sketched out a fix in #1811. |
@djc Thanks a lot! Isn't returning In an example code snippet below, TLS alert should be sent because local let mut acceptor = Acceptor::default();
let accepted = loop {
acceptor.read_tls(stream)?;
if let Some(accepted) = acceptor.accept()? {
break accepted;
}
};
// Use a fixed config
let mut conn = accepted.into_connection(config)?;
let (_bytes_read, _bytes_written) = conn.complete_io(&mut stream)?; |
Ah, yes -- I revised the PR to also change the error type for |
@vartiait2 Thanks for the detailed bug report. This should be fixed with #1811 and included in the upcoming release (#1777) |
@vartiait2 Would you be interested in writing a PR for tokio-rustls to bring those API updates over? |
Sure 👍🏻 |
@vartiait2 Ah, looks like ctz beat you to it: rustls/tokio-rustls#44 |
Oops! Sorry about that. |
No problem! 😄 Thanks a lot @ctz for a quick integration update! 👍🏻 |
Checklist
Describe the bug
When using
Accepted::into_connection(config)
, no TLS alert is sent when an error occurs during the handshake.E.g. TLS protocol version mismatch, a server is configured to support only TLS 1.3 and a client supports only TLS 1.2.
When using
ServerConnection::new(config)
, TLS alert is sent.To Reproduce
Steps to reproduce the behavior:
Accepted::into_connection(config)
(e.g. with a config supporting only TLS 1.3)openssl s_client -connect 127.0.0.1:8443 -tls1_2
CONNECTED(00000003) C0C71E44F87F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:304:
When accepting connections with
ServerConnection::new(config)
, TLS alert is sentCONNECTED(00000003) C0C71E44F87F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1586:SSL alert number 70
Applicable Version(s)
0.22.2
Expected behavior
TLS alert is sent to a client.
The text was updated successfully, but these errors were encountered: