trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leif Hedstrom <zw...@apache.org>
Subject Re: ATS and TLS close-notify
Date Sun, 02 Sep 2018 16:51:49 GMT
That seems plausible , but isn’t the indication that things got a lot worse from v6.x to
7.x?

The half close logic is old, isn’t it? Did we change something into it in 7.x?

— Leif 

> On Sep 2, 2018, at 07:35, Susan Hinrichs <shinrich@oath.com> wrote:
> 
> Thinking on this some more, this sounds like bad interactions with the TCP half closed
logic in the state machine. If you are doing HTTP 1 over non-TLS, it is legal for a client
to send a FIN but then read more data that the server sends. There is some logic to turn off
this half close logic in traffic server in inappropriate cases but it is not perfect and has
varied over time.
> 
> Earlier this year there was a PR to add a knob to turn off this behavior, but I don't
know where it landed. I will check that out when I get back to the office.
> 
> Susan
> 
>> On Sat, Sep 1, 2018, 5:56 PM Susan Hinrichs <shinrich@oath.com> wrote:
>> Yes, ATS should respond with close notify or at least FIN the connection. What version
of ATS are you seeing this with?
>> 
>> If there was already an application data packet in flight, it may arrive after the
client sends the close notify. But in general ATS should shut down the connection.
>> 
>>> On Fri, Aug 31, 2018, 11:31 PM Jeremy Payne <jp557198@gmail.com> wrote:
>>> Context:
>>> 
>>> Openssl 102k
>>> ATS 714
>>> 
>>> I notice that at times a client will send a TLS 1.2 close-notify,
>>> immediately followed by a FIN-ACK. Which seems to be following spec.
>>> 
>>> "It is not required for the initiator of the close to wait for the
>>> responding close_notify alert before
>>>    closing the read side of the connection."
>>> 
>>> 
>>> However, in response, ATS continuous to send 'application data'
>>> instead of issuing its own TLS 1.2 close-notify. Which then results in
>>> connections lingering waiting for an ACK back from the client.
>>> Which will never come, since per spec:
>>> 
>>> "Any data received after a closure alert is ignored."
>>> 
>>> 
>>> Is ATS still within TLS 1.2 spec by continuing to send application
>>> data, even though the client sent a close notify ?
>>> 
>>> I tested some other https servers compiled against openssl 102k, and I
>>> see a close notify sent by the client, with the https server
>>> responding with it's own close notify.
>>> 
>>> Thanks!

Mime
View raw message