You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2021/06/15 09:34:26 UTC

[tomcat] branch 8.5.x updated: Fix BZ 65368 - better handling of closed TLS connection

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
     new 2f134e4  Fix BZ 65368 - better handling of closed TLS connection
2f134e4 is described below

commit 2f134e4a94a260cf67bd140e320151f106fc9e1e
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Jun 10 16:56:25 2021 +0100

    Fix BZ 65368 - better handling of closed TLS connection
    
    https://bz.apache.org/bugzilla/show_bug.cgi?id=65368
---
 java/org/apache/tomcat/util/net/SecureNioChannel.java | 8 ++++++++
 webapps/docs/changelog.xml                            | 5 +++++
 2 files changed, 13 insertions(+)

diff --git a/java/org/apache/tomcat/util/net/SecureNioChannel.java b/java/org/apache/tomcat/util/net/SecureNioChannel.java
index 46735ad..cd42a5c 100644
--- a/java/org/apache/tomcat/util/net/SecureNioChannel.java
+++ b/java/org/apache/tomcat/util/net/SecureNioChannel.java
@@ -681,6 +681,14 @@ public class SecureNioChannel extends NioChannel  {
                                 sm.getString("channel.nio.ssl.unwrapFailResize", unwrap.getStatus()));
                     }
                 }
+            } else if (unwrap.getStatus() == Status.CLOSED && netInBuffer.position() == 0 && read > 0) {
+                // Clean TLS close on input side but there is application data
+                // to process. Can't tell if the client closed the connection
+                // mid-request or if the client is performing a half-close after
+                // a complete request. Assume it is a half-close and allow
+                // processing to continue. If the connection has been closed
+                // mid-request then the next attempt to read will trigger an
+                // EOF.
             } else {
                 // Something else went wrong
                 throw new IOException(sm.getString("channel.nio.ssl.unwrapFail", unwrap.getStatus()));
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 8d48951..203612f 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -108,6 +108,11 @@
   <subsection name="Coyote">
     <changelog>
       <fix>
+        <bug>65368</bug>: Improve handling of clean closes of inbound TLS
+        connections. Treat them the same way as clean closes of non-TLS
+        connections rather than as unknown errors. (markt)
+      </fix>
+      <fix>
         Modify the HTTP/2 connector not to sent small updates for stream flow
         control windows to the user agent as, depending on how the user agent is
         written, this may trigger small writes from the user agent that in turn

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org