> Fiona Ebner <f.eb...@proxmox.com> hat am 08.04.2025 09:27 CEST geschrieben: > > > Am 05.03.25 um 22:45 schrieb Rob Rozestraten via pve-devel: > > When pve-http-server initiates the closure of a TLS session, it does not > > send a TLS close notify, resulting in an unexpected EOF error on systems > > with recent crypto policies. This can break functionality with other > > applications, such as Foreman[0]. > > > > This behavior can be observed in the following cases: > > > > * client uses HTTP/1.0 (no keepalive; server closes connection) > > * client sends no data for 5 sec (timeout; server closes connection) > > * server responds with 400 (no keepalive; server closes connection) > > > > This patch sends the TLS close notify prior to socket teardown, > > resulting in clean closure of TLS connections and no client error. > > > > It also moves shutdown() to after the clearing of handlers. The reason > > for this is stoptls() must come before shutdown(), but it also triggers > > on_drain(), which calls client_do_disconnect() again. The extra call to > > client_do_disconnect() is avoided inside accept_connections() by commit > > f737984, but perhaps clearing the handlers prior to shutdown() will > > avoid it in all cases. > > > > [0]: https://github.com/theforeman/foreman_fog_proxmox/issues/325 > > > > I feel like the questions regarding blocking/missing client ack from > Fabian from v1 are not answered yet: > > > If I read the docs right, this could block (would that be an issue here?) > > and could potentially destroy the handle (so that might need to be > > rechecked afterwards to prevent spurious warnings?) > > > > what happens if we initiate the teardown, and the client never acks it?
there was some more input in a separate mail: https://lore.proxmox.com/pve-devel/mailman.799.1741211155.293.pve-de...@lists.proxmox.com/ _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
