trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Susan Hinrichs <shinr...@oath.com>
Subject Re: ATS and TLS close-notify
Date Tue, 04 Sep 2018 12:53:57 GMT
True the change in behavior between 6.x and 7.x is concerning.  The basic
half-open logic hasn't changed as far as I know.  There is one H2 change on
master, but that is not on the 7.1.x branch (just checked).  There may be
some tweaky little change.  Or it may be something else entirely.

On Sun, Sep 2, 2018 at 11:51 AM, Leif Hedstrom <zwoop@apache.org> wrote:

> That seems plausible , but isn’t the indication that things got a lot
> worse from v6.x to 7.x?
>
> The half close logic is old, isn’t it? Did we change something into it in
> 7.x?
>
> — Leif
>
> On Sep 2, 2018, at 07:35, Susan Hinrichs <shinrich@oath.com> wrote:
>
> Thinking on this some more, this sounds like bad interactions with the TCP
> half closed logic in the state machine. If you are doing HTTP 1 over
> non-TLS, it is legal for a client to send a FIN but then read more data
> that the server sends. There is some logic to turn off this half close
> logic in traffic server in inappropriate cases but it is not perfect and
> has varied over time.
>
> Earlier this year there was a PR to add a knob to turn off this behavior,
> but I don't know where it landed. I will check that out when I get back to
> the office.
>
> Susan
>
> On Sat, Sep 1, 2018, 5:56 PM Susan Hinrichs <shinrich@oath.com> wrote:
>
>> Yes, ATS should respond with close notify or at least FIN the connection.
>> What version of ATS are you seeing this with?
>>
>> If there was already an application data packet in flight, it may arrive
>> after the client sends the close notify. But in general ATS should shut
>> down the connection.
>>
>> On Fri, Aug 31, 2018, 11:31 PM Jeremy Payne <jp557198@gmail.com> wrote:
>>
>>> Context:
>>>
>>> Openssl 102k
>>> ATS 714
>>>
>>> I notice that at times a client will send a TLS 1.2 close-notify,
>>> immediately followed by a FIN-ACK. Which seems to be following spec.
>>>
>>> "It is not required for the initiator of the close to wait for the
>>> responding close_notify alert before
>>>    closing the read side of the connection."
>>>
>>>
>>> However, in response, ATS continuous to send 'application data'
>>> instead of issuing its own TLS 1.2 close-notify. Which then results in
>>> connections lingering waiting for an ACK back from the client.
>>> Which will never come, since per spec:
>>>
>>> "Any data received after a closure alert is ignored."
>>>
>>>
>>> Is ATS still within TLS 1.2 spec by continuing to send application
>>> data, even though the client sent a close notify ?
>>>
>>> I tested some other https servers compiled against openssl 102k, and I
>>> see a close notify sent by the client, with the https server
>>> responding with it's own close notify.
>>>
>>> Thanks!
>>>
>>

Mime
View raw message