You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2021/06/10 15:56:53 UTC

[tomcat] branch main updated: Fix BZ 65368 - better handling of closed TLS connection

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
     new ab3aa9d  Fix BZ 65368 - better handling of closed TLS connection
ab3aa9d is described below

commit ab3aa9da76828c1e54ff55a8db484f3a8ceaa054
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Jun 10 16:56:25 2021 +0100

    Fix BZ 65368 - better handling of closed TLS connection
    
    https://bz.apache.org/bugzilla/show_bug.cgi?id=65368
---
 java/org/apache/tomcat/util/net/SecureNioChannel.java | 8 ++++++++
 webapps/docs/changelog.xml                            | 9 +++++++++
 2 files changed, 17 insertions(+)

diff --git a/java/org/apache/tomcat/util/net/SecureNioChannel.java b/java/org/apache/tomcat/util/net/SecureNioChannel.java
index 277193b..de47904 100644
--- a/java/org/apache/tomcat/util/net/SecureNioChannel.java
+++ b/java/org/apache/tomcat/util/net/SecureNioChannel.java
@@ -651,6 +651,14 @@ public class SecureNioChannel extends NioChannel {
                                 sm.getString("channel.nio.ssl.unwrapFailResize", unwrap.getStatus()));
                     }
                 }
+            } else if (unwrap.getStatus() == Status.CLOSED && netInBuffer.position() == 0 && read > 0) {
+                // Clean TLS close on input side but there is application data
+                // to process. Can't tell if the client closed the connection
+                // mid-request or if the client is performing a half-close after
+                // a complete request. Assume it is a half-close and allow
+                // processing to continue. If the connection has been closed
+                // mid-request then the next attempt to read will trigger an
+                // EOF.
             } else {
                 // Something else went wrong
                 throw new IOException(sm.getString("channel.nio.ssl.unwrapFail", unwrap.getStatus()));
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 229b7e7..c9595e9 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -105,6 +105,15 @@
   issues do not "pop up" wrt. others).
 -->
 <section name="Tomcat 10.1.0-M2 (markt)" rtext="in development">
+  <subsection name="Coyote">
+    <changelog>
+      <fix>
+        <bug>65368</bug>: Improve handling of clean closes of inbound TLS
+        connections. Treat them the same way as clean closes of non-TLS
+        connections rather than as unknown errors. (markt)
+      </fix>
+    </changelog>
+  </subsection>
   <subsection name="Other">
     <changelog>
       <add>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org