From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
by lore.proxmox.com (Postfix) with ESMTPS id B17831FF15C
for <inbox@lore.proxmox.com>; Wed, 5 Mar 2025 22:45:52 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
by firstgate.proxmox.com (Proxmox) with ESMTP id D6AFC1F05D;
Wed, 5 Mar 2025 22:45:46 +0100 (CET)
Date: Wed, 05 Mar 2025 21:45:01 +0000
To: pve-devel@lists.proxmox.com
In-Reply-To: <20250305214447.128975-1-admin@truthsolo.net>
References: <20250305214447.128975-1-admin@truthsolo.net>
MIME-Version: 1.0
Message-ID: <mailman.798.1741211145.293.pve-devel@lists.proxmox.com>
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Post: <mailto:pve-devel@lists.proxmox.com>
From: Rob Rozestraten via pve-devel <pve-devel@lists.proxmox.com>
Precedence: list
Cc: Rob Rozestraten <admin@truthsolo.net>
X-Mailman-Version: 2.1.29
X-BeenThere: pve-devel@lists.proxmox.com
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>,
<mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>,
<mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
Subject: [pve-devel] [PATCH pve-http-server v2 1/1] fix unexpected EOF for
client when closing TLS session
Content-Type: multipart/mixed; boundary="===============7714911577425735876=="
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>
--===============7714911577425735876==
Content-Type: message/rfc822
Content-Disposition: inline
Return-Path: <admin@truthsolo.net>
X-Original-To: pve-devel@lists.proxmox.com
Delivered-To: pve-devel@lists.proxmox.com
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
(No client certificate requested)
by lists.proxmox.com (Postfix) with ESMTPS id CC379D3CB5
for <pve-devel@lists.proxmox.com>; Wed, 5 Mar 2025 22:45:44 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
by firstgate.proxmox.com (Proxmox) with ESMTP id ACD6D1EFBC
for <pve-devel@lists.proxmox.com>; Wed, 5 Mar 2025 22:45:14 +0100 (CET)
Received: from mail-4317.protonmail.ch (mail-4317.protonmail.ch [185.70.43.17])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
(No client certificate requested)
by firstgate.proxmox.com (Proxmox) with ESMTPS
for <pve-devel@lists.proxmox.com>; Wed, 5 Mar 2025 22:45:13 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=truthsolo.net;
s=protonmail3; t=1741211106; x=1741470306;
bh=K2IGKo/kP8LWGQb6+HKER6ihkHnxQWCTqqJt/I8kIUE=;
h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
Message-ID:BIMI-Selector:List-Unsubscribe:List-Unsubscribe-Post;
b=B5I2O6+MpD5Maaeou3mgX19xMs1gRO8gducpI/lJvOMFUXfjZDb/1tBcm3jwIlzsg
5EttLLBPv9pNpM+8k1tVvJre88QTmr/ZMpbwzFBUCKEGtn3FNFSJk49ILTZyuismXN
9Oa5NgEyK3ts2PR8veJFUgMZReGP0FVZY9cX50KzW0ubSx7S9IPYA7K0CP+X0f6z0U
CD933B6AhDS3yVq7XGVB7UatAov7x1/NtReNfAz4VccvuhckxAJhE3AP1AIzx3jfO+
uRfcVkNnoM0u3EZEKsVMRSiWNCRcG5IBHDYOV9ROPSieTuSSnws9Yxfau8q8EBmExa
5vL9U+xD/BNgw==
Date: Wed, 05 Mar 2025 21:45:01 +0000
To: pve-devel@lists.proxmox.com
From: Rob Rozestraten <admin@truthsolo.net>
Subject: [PATCH pve-http-server v2 1/1] fix unexpected EOF for client when closing TLS session
Message-ID: <20250305214447.128975-2-admin@truthsolo.net>
In-Reply-To: <20250305214447.128975-1-admin@truthsolo.net>
References: <20250305214447.128975-1-admin@truthsolo.net>
Feedback-ID: 48530542:user:proton
X-Pm-Message-ID: 3ac5003b9c94c94c453bb307b172100125a454c4
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-SPAM-LEVEL: Spam detection results: 0
AWL -0.001 Adjusted score from AWL reputation of From: address
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid
DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature
DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain
DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain
DMARC_PASS -0.1 DMARC pass policy
RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust
RCVD_IN_MSPIKE_H3 0.001 Good reputation (+3)
RCVD_IN_MSPIKE_WL 0.001 Mailspike good senders
RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information.
RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information.
RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information.
SPF_HELO_PASS -0.001 SPF: HELO matches SPF record
SPF_PASS -0.001 SPF: sender matches SPF record
URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [truthsolo.net,anyevent.pm]
When pve-http-server initiates the closure of a TLS session, it does not
send a TLS close notify, resulting in an unexpected EOF error on systems
with recent crypto policies. This can break functionality with other
applications, such as Foreman[0].
This behavior can be observed in the following cases:
* client uses HTTP/1.0 (no keepalive; server closes connection)
* client sends no data for 5 sec (timeout; server closes connection)
* server responds with 400 (no keepalive; server closes connection)
This patch sends the TLS close notify prior to socket teardown,
resulting in clean closure of TLS connections and no client error.
It also moves shutdown() to after the clearing of handlers. The reason
for this is stoptls() must come before shutdown(), but it also triggers
on_drain(), which calls client_do_disconnect() again. The extra call to
client_do_disconnect() is avoided inside accept_connections() by commit
f737984, but perhaps clearing the handlers prior to shutdown() will
avoid it in all cases.
[0]: https://github.com/theforeman/foreman_fog_proxmox/issues/325
Signed-off-by: Rob Rozestraten <admin@truthsolo.net>
---
changes since v1:
* move stoptls() after clearing of handlers
* move shutdown() after clearing of handlers
src/PVE/APIServer/AnyEvent.pm | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm
index 8a52836..e6d1028 100644
--- a/src/PVE/APIServer/AnyEvent.pm
+++ b/src/PVE/APIServer/AnyEvent.pm
@@ -141,11 +141,13 @@ sub client_do_disconnect {
my $shutdown_hdl =3D sub {
=09my $hdl =3D shift;
=20
-=09shutdown($hdl->{fh}, 1);
=09# clear all handlers
=09$hdl->on_drain(undef);
=09$hdl->on_read(undef);
=09$hdl->on_eof(undef);
+
+=09$hdl->stoptls();
+=09shutdown($hdl->{fh}, 1);
};
=20
if (my $proxyhdl =3D delete $reqstate->{proxyhdl}) {
--=20
2.48.1
--===============7714911577425735876==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
--===============7714911577425735876==--