cups/tls-gnutls.c: Use always GNUTLS_SHUT_WR #365
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The current mode for `gnutls_bye()` in client use cases strictly follows TLS v1.2 standard, which in this particular part says: ``` Unless some other fatal alert has been transmitted, each party is required to send a close_notify alert before closing the write side of the connection. The other party MUST respond with a close_notify alert of its own and close down the connection immediately, discarding any pending writes. It is not required for the initiator of the close to wait for the responding close_notify alert before closing the read side of the connection. ``` and waits for the other side of TLS connection to confirm the close. Unfortunately it can undesired for reasons: - we support switching of TLS versions in CUPS, and this mode strictly follows TLS v1.2 - so for older version this behavior is not expected and can cause delays - even some TLS v1.2 implementations (like Windows Server 2016) don't comply TLS v1.2 behavior even if it says it does - in that case, encrypted printing takes 30s till HTTP timeout is reached, because the other side didn't send confirmation - AFAIU openssl's SSL_shutdown() doesn't make this TLS v1.2 difference, so we could end up with two TLS implementations in CUPS which will behave differently Since the standard defines that waiting for confirmation is not required and due the problems above, I would propose using GNUTLS_SHUT_WR mode regardless of HTTP mode.
|
Thank you for the review! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The current mode for
gnutls_bye()in client use cases strictlyfollows TLS v1.2 standard, which in this particular part says:
and waits for the other side of TLS connection to confirm the close.
Unfortunately it can undesired for reasons:
follows TLS v1.2 - so for older version this behavior is not expected
and can cause delays
comply TLS v1.2 behavior even if it says it does - in that case,
encrypted printing takes 30s till HTTP timeout is reached, because the
other side didn't send confirmation
so we could end up with two TLS implementations in CUPS which will
behave differently
Since the standard defines that waiting for confirmation is not required
and due the problems above, I would propose using GNUTLS_SHUT_WR mode
regardless of HTTP mode.