FIX: Alert handling in ASIO stream and HTTP Server#3795
Merged
reneme merged 3 commits intorandombit:masterfrom Nov 5, 2023
Merged
FIX: Alert handling in ASIO stream and HTTP Server#3795reneme merged 3 commits intorandombit:masterfrom
reneme merged 3 commits intorandombit:masterfrom
Conversation
Co-Authored-By: Fabian Albert <fabian.albert@rohde-schwarz.com>
reneme
commented
Nov 2, 2023
c7d9fb8 to
42e32c1
Compare
Collaborator
Author
|
Force pushed to explain it again for MSVC. It produced warnings for unreachable code that were false positives. 🤷♂️ |
Collaborator
|
Nice! TLS-Anvil is not yet fully satisfied but many failing tests were fixed by these changes (see TLS-Anvil CI for this PR). Before we had 62 failing tests, now we only have 8. We'll look into these as well. |
86672dd to
9a21fe3
Compare
Collaborator
Author
|
8ac28bf contains another fix. On application level ( |
Co-Authored-By: Fabian Albert <fabian.albert@rohde-schwarz.com>
9a21fe3 to
8ac28bf
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Turns out that #3778 seems to be caused by a long-standing bug in the ASIO stream wrapper. Consider a client sending a ClientHello that a server has to reject with a lack of compatible ciphersuites. Botan's TLS server would signal that with a
TLS_Exception(Alert::HandshakeFailure, "...").The TLS stream wrapper (as the server) didn't properly handle that (as in: send a fatal alert message, terminate the connection and report a reasonable error code back to ASIO). Instead it just closed the connection immediately.
Likewise, when receiving a fatal alert message from a peer, the ASIO stream wrapper didn't report that back to the application as an error code but also simply terminated the connection.
This surfaced because the TLS Anvil nightly test is based on
./botan tls_http_server, which is now based on the ASIO stream: #3763. Here we add proper handling for both cases and a suitable regression test.Fortunately, the buggy behavior was arguable "okayish": The connection was hard-reset. Just, the application and the peer didn't get a proper error message. TLS-Anvil isn't satisfied with just that, though.
@FAlbertDev Let's verify tomorrow that this helps with #3778.