Am 05.03.25 um 22:45 schrieb Rob Rozestraten via pve-devel: > When pve-http-server initiates the closure of a TLS session, it does not > send a TLS close notify, resulting in an unexpected EOF error on systems > with recent crypto policies. This can break functionality with other > applications, such as Foreman[0]. > > This behavior can be observed in the following cases: > > * client uses HTTP/1.0 (no keepalive; server closes connection) > * client sends no data for 5 sec (timeout; server closes connection) > * server responds with 400 (no keepalive; server closes connection) > > This patch sends the TLS close notify prior to socket teardown, > resulting in clean closure of TLS connections and no client error. > > It also moves shutdown() to after the clearing of handlers. The reason > for this is stoptls() must come before shutdown(), but it also triggers > on_drain(), which calls client_do_disconnect() again. The extra call to > client_do_disconnect() is avoided inside accept_connections() by commit > f737984, but perhaps clearing the handlers prior to shutdown() will > avoid it in all cases. > > [0]: https://github.com/theforeman/foreman_fog_proxmox/issues/325 >
I feel like the questions regarding blocking/missing client ack from Fabian from v1 are not answered yet: > If I read the docs right, this could block (would that be an issue here?) and > could potentially destroy the handle (so that might need to be rechecked > afterwards to prevent spurious warnings?) > > what happens if we initiate the teardown, and the client never acks it? _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
