You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by "Bryan Call (JIRA)" <ji...@apache.org> on 2014/05/20 18:16:39 UTC

[jira] [Assigned] (TS-2709) ATS don't send "close notify" before close connection which break rfc standard and cause some unepected results

     [ https://issues.apache.org/jira/browse/TS-2709?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Bryan Call reassigned TS-2709:
------------------------------

    Assignee: Bryan Call

> ATS don't send "close notify" before close connection which break rfc standard and cause some unepected results
> ---------------------------------------------------------------------------------------------------------------
>
>                 Key: TS-2709
>                 URL: https://issues.apache.org/jira/browse/TS-2709
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: SSL
>            Reporter: kang li
>            Assignee: Bryan Call
>             Fix For: 5.0.0
>
>
> ATS directly send FIN to client without send "close notify" before it. This break rfc standard. This can be easily reproduced by set 
> CONFIG proxy.config.http.keep_alive_enabled_in INT 0
> http://tools.ietf.org/html/rfc5246#section-7.2.1
> 7.2.1.  Closure Alerts
>    The client and the server must share knowledge that the connection is
>    ending in order to avoid a truncation attack.  Either party may
>    initiate the exchange of closing messages.
>    close_notify
>       This message notifies the recipient that the sender will not send
>       any more messages on this connection.  Note that as of TLS 1.1,
>       failure to properly close a connection no longer requires that a
>       session not be resumed.  This is a change from TLS 1.0 to conform
>       with widespread implementation practice.
>    Either party may initiate a close by sending a close_notify alert.
>    Any data received after a closure alert is ignored.
> This cause Safari on Apple devices send "fatal alert 0" in some condition. This would generate a lot of "error" log in diags.log. Apple's SSL library libsecurity_ssl treat unexpected shutdown as fatal error in some times.
> ERROR: SSL::44:error:140943E8:SSL routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1256:SSL alert number 0



--
This message was sent by Atlassian JIRA
(v6.2#6252)