You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by "kang li (JIRA)" <ji...@apache.org> on 2014/04/10 06:08:15 UTC

[jira] [Created] (TS-2709) ATS don't send "close notify" before close connection which break rfc standard and cause some unepected results

kang li created TS-2709:
---------------------------

Summary: ATS don't send "close notify" before close connection which break rfc standard and cause some unepected results
Key: TS-2709
URL: https://issues.apache.org/jira/browse/TS-2709
Project: Traffic Server
Issue Type: Bug
Components: SSL
Reporter: kang li

ATS directly send FIN to client without send "close notify" before it. This break rfc standard. This can be easily reproduced by set

CONFIG proxy.config.http.keep_alive_enabled_in INT 0

http://tools.ietf.org/html/rfc5246#section-7.2.1
7.2.1. Closure Alerts

The client and the server must share knowledge that the connection is
ending in order to avoid a truncation attack. Either party may
initiate the exchange of closing messages.

close_notify
This message notifies the recipient that the sender will not send
any more messages on this connection. Note that as of TLS 1.1,
failure to properly close a connection no longer requires that a
session not be resumed. This is a change from TLS 1.0 to conform
with widespread implementation practice.

Either party may initiate a close by sending a close_notify alert.
Any data received after a closure alert is ignored.

This cause Safari on Apple devices send "fatal alert 0" in some condition. This would generate a lot of "error" log in diags.log. Apple's SSL library libsecurity_ssl treat unexpected shutdown as fatal error in some times.

ERROR: SSL::44:error:140943E8:SSL routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1256:SSL alert number 0

--
This message was sent by Atlassian JIRA
(v6.2#6252)