From 07e56cc9dd8c1d3354aaf317adaac109437e80f7 Mon Sep 17 00:00:00 2001 From: Rob Rozestraten via pve-devel Date: Wed, 5 Mar 2025 21:45:01 +0000 Subject: [PATCH] fix unexpected EOF for client when closing TLS session When pve-http-server initiates the closure of a TLS session, it does not send a TLS close notify, resulting in an unexpected EOF error on systems with recent crypto policies. This can break functionality with other applications, such as Foreman[0]. This behavior can be observed in the following cases: * client uses HTTP/1.0 (no keepalive; server closes connection) * client sends no data for 5 sec (timeout; server closes connection) * server responds with 400 (no keepalive; server closes connection) This patch sends the TLS close notify prior to socket teardown, resulting in clean closure of TLS connections and no client error. It also moves shutdown() to after the clearing of handlers. The reason for this is stoptls() must come before shutdown(), but it also triggers on_drain(), which calls client_do_disconnect() again. The extra call to client_do_disconnect() is avoided inside accept_connections() by commit f737984, but perhaps clearing the handlers prior to shutdown() will avoid it in all cases. [0]: https://github.com/theforeman/foreman_fog_proxmox/issues/325 Signed-off-by: Rob Rozestraten Link: https://lore.proxmox.com/mailman.798.1741211145.293.pve-devel@lists.proxmox.com Signed-off-by: Thomas Lamprecht --- src/PVE/APIServer/AnyEvent.pm | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm index 7499474..9b18ee2 100644 --- a/src/PVE/APIServer/AnyEvent.pm +++ b/src/PVE/APIServer/AnyEvent.pm @@ -141,11 +141,13 @@ sub client_do_disconnect { my $shutdown_hdl = sub { my $hdl = shift; - shutdown($hdl->{fh}, 1); # clear all handlers $hdl->on_drain(undef); $hdl->on_read(undef); $hdl->on_eof(undef); + + $hdl->stoptls(); + shutdown($hdl->{fh}, 1); }; if (my $proxyhdl = delete $reqstate->{proxyhdl}) {