Re: [RFC PATCH] MEDIUM: persistent connections for SSL checks

Mon, 13 Mar 2017 10:11:09 -0700 

Hi Steven,

On Mon, Mar 13, 2017 at 09:54:49AM -0700, Steven Davidovitz wrote:
> Hi,
> 
> Just wanted to follow up. I've been running this patch for a couple days on
> an idle system and haven't noticed any problems.
> Could this be merged? Is there anything else I can test?

I'm personally fine with it but I'd rather have Emeric approve it, as
he knows better than me the possible impacts of shutting down cleanly
or not on SSL.

Emeric, I've re-attached the patch. Using conn_data_shutw() instead of
conn_data_shutw_hard() causes the "clean" flag to be set when calling
ssl_sock_shutw() and SSL_set_quiet_shutdown() not to be called so that
we perform a clean shutdown. The purpose is to give a chance to the
server to store the context and avoid renegociating.

This will likely have to be backported to 1.7, 1.6 and 1.5.

Willy

>From a544fcb1b8b33d2f7b4b66280484f6e835a5df69 Mon Sep 17 00:00:00 2001
From: Steven Davidovitz <ste...@squareup.com>
Date: Wed, 8 Mar 2017 11:06:20 -0800
Subject: [PATCH] BUG/MINOR: attempt clean shutw for check
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4

Strict interpretation of TLS can cause SSL sessions
to be thrown away when the socket is shutdown without
sending a "close notify".
---
 src/checks.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/checks.c b/src/checks.c
index 49bd886b..b3ad96ec 100644
--- a/src/checks.c
+++ b/src/checks.c
@@ -1349,14 +1349,15 @@ static void event_srv_chk_r(struct connection *conn)
        *check->bi->data = '\0';
        check->bi->i = 0;
 
-       /* Close the connection... We absolutely want to perform a hard close
-        * and reset the connection if some data are pending, otherwise we end
-        * up with many TIME_WAITs and eat all the source port range quickly.
-        * To avoid sending RSTs all the time, we first try to drain pending
-        * data.
+       /* Close the connection... We still attempt to nicely close if,
+        * for instance, SSL needs to send a "close notify." Later, we perform
+        * a hard close and reset the connection if some data are pending,
+        * otherwise we end up with many TIME_WAITs and eat all the source port
+        * range quickly.  To avoid sending RSTs all the time, we first try to
+        * drain pending data.
         */
        __conn_data_stop_both(conn);
-       conn_data_shutw_hard(conn);
+       conn_data_shutw(conn);
 
        /* OK, let's not stay here forever */
        if (check->result == CHK_RES_FAILED)
-- 
2.11.1

Reply via email to