Comments (17)
If an alert is queued for sending during Accepted::into_connection
I think there is no way for a caller to get it? They don't have the original Accepted
, and don't get a ServerConnection
because they get an error instead. Maybe the Err
return type of that should be struct ErrorAndAlert(Error, Vec<u8>)
or something.
from rustls.
@djc Thanks a lot!
Isn't returning AcceptedAlert
along with an error from Acceptor::accept()
a bit too soon as Acceptor
does not
have ServerConfig
?
In an example code snippet below, TLS alert should be sent because local ServerConfig
is configured not to support TLS 1.2 (which the client is trying to use).
let mut acceptor = Acceptor::default();
let accepted = loop {
acceptor.read_tls(stream)?;
if let Some(accepted) = acceptor.accept()? {
break accepted;
}
};
// Use a fixed config
let mut conn = accepted.into_connection(config)?;
let (_bytes_read, _bytes_written) = conn.complete_io(&mut stream)?;
from rustls.
Ah, yes -- I revised the PR to also change the error type for Accepted::into_connection()
.
from rustls.
@cpu @djc Thank You very much for fixing this! 👍🏻 I'm actually using tokio_rustls::LazyConfigAcceptor
and tokio_rustls::StartHandshake
so have to wait until the updated function signatures are used there.
from rustls.
I spent some time looking at this on Saturday. It's not obvious to me why this happens from looking at the Acceptor
/Accepted
/server handshake code, but maybe it's an interaction with how complete_io()
calls things?
from rustls.
Is it because Accepted::into_connection(config)
returns with an error result after calling ExpectClientHello::with_certified_key(self, ...)?
at src/server/server_conn.rs#L796?
The error itself is propagated from src/server/hs.rs#L278
from rustls.
Hmm, yes. So if an error occurs in process_new_packets()
, complete_io()
will still call write_tls()
(exactly for the purpose of getting out the alert). However, in your acceptor-based code, you'd get an error value from Accepted::into_connection()
, and you'd likely not call complete_io()
after that.
So I think this is technically an error in your code, but it's also a bit of a pitfall with the Acceptor
setup and likely something we should at least clearly document. Or maybe we should have a Stream
-like Acceptor
wrapper?
from rustls.
Ahh, that's fair.
from rustls.
I suppose the Err
type could be a wrapper around the ConnectionCommon<ServerData>
exposes a write_alert()
method in addition to the actual Error
?
from rustls.
Would a following change in Accepted::into_connection(config)
be an adequate fix?
diff --git a/rustls/src/server/server_conn.rs b/rustls/src/server/server_conn.rs
index fe1569ca..80d4d194 100644
--- a/rustls/src/server/server_conn.rs
+++ b/rustls/src/server/server_conn.rs
@@ -798,9 +798,9 @@ impl Accepted {
Self::client_hello_payload(&self.message),
&self.message,
&mut cx,
- )?;
+ );
- self.connection.replace_state(new);
+ self.connection.core.state = new;
Ok(ServerConnection {
inner: self.connection,
})
At least it seems to handle the error case properly. Calling complete_io(...)
on ServerConnection
handles sending TLS alert and returning with an error result.
from rustls.
Sketched out a fix in #1811.
from rustls.
@vartiait2 Thanks for the detailed bug report. This should be fixed with #1811 and included in the upcoming release (#1777)
from rustls.
@vartiait2 Would you be interested in writing a PR for tokio-rustls to bring those API updates over?
from rustls.
Sure 👍🏻
from rustls.
@vartiait2 Ah, looks like ctz beat you to it: rustls/tokio-rustls#44
from rustls.
Oops! Sorry about that.
from rustls.
No problem! 😄 Thanks a lot @ctz for a quick integration update! 👍🏻
from rustls.
Related Issues (20)
- 0.23 docs build is broken HOT 2
- optimize receiving data with TLS 1.2 and aes-128-gcm HOT 1
- optimize receiving data with TLS 1.3 and aes-256-gcm
- optimize server-side full handshakes for TLS 1.2 and 1.3 HOT 1
- Connection::dangerous_extract_secrets returns ConnectionTrafficSecrets::Aes128Gcm even when AES-256-GCM is negotiated
- Error: badRecordMac HOT 4
- Cipher suites configured through WebPkiServerVerifier::builder_with_provider is not working. Client hello contains more cipher suites then it configured. HOT 6
- rand_core::RngCore & CryptoRng support for CryptoProvider HOT 7
- expose more information in ClientHello HOT 4
- No common ciphersuit when FFDHE and ECDHE ciphersuites are available on server and client using TLS 1.2 HOT 4
- US Export control information HOT 4
- doc: AcceptedAlert::write doesn't necessarily write all bytes HOT 7
- Support using rustls without using specific ring or aws-lc-rs apis HOT 2
- Feature request: a way to set/get default ticketer dynamically HOT 6
- Feature Request: Avoid panicking when ring and aws_lc_rs are both specified HOT 19
- Option to Relax SNI Host Name Validation for IP Addresses HOT 7
- unbuffered: B: `CapacityBuffer` for `output_tls.capacity()` HOT 9
- The support for "mipsel-unknown-linux-musl" has failed. HOT 2
- Io(Custom { kind: InvalidData, error: AlertReceived(HandshakeFailure) }) HOT 6
- Linux compilation is slow and seems unable to store compilation results HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rustls.