diff options
| author | David Kalnischkies <david@kalnischkies.de> | 2026-02-05 21:18:40 +0000 |
|---|---|---|
| committer | David Kalnischkies <david@kalnischkies.de> | 2026-06-10 13:07:30 +0000 |
| commit | 49e91b96d9faeca50ab0b212174744938d446132 (patch) | |
| tree | 6b31bc0201214aa2d10a51b2edbf30032fa49889 | |
| parent | 5b49a25a292dd3ed2355fadaca68753a72eb2422 (diff) | |
aptwebserver: Refuse client immediately on TLS handshake
We implement a HTTP-only server here (that is wrapped by stunnel for
HTTPS support), so if a TLS handshake reaches us it is always wrong
and we can just close the connection immediately instead of accepting
it and letting the client run into a timeout as we will never receive
the message(s) we expect.
This happens e.g. with browsers like Firefox that opportunistically
try https first (even if you ask for http and specify a port).
| -rwxr-xr-x | test/integration/test-apt-helper | 5 | ||||
| -rwxr-xr-x | test/integration/test-apt-https-transient | 15 | ||||
| -rw-r--r-- | test/interactive-helper/aptwebserver.cc | 23 |
3 files changed, 34 insertions, 9 deletions
diff --git a/test/integration/test-apt-helper b/test/integration/test-apt-helper index 4f883b440..7c16d291e 100755 --- a/test/integration/test-apt-helper +++ b/test/integration/test-apt-helper @@ -12,6 +12,11 @@ changetohttpswebserver echo 'foo' > aptarchive/foo echo 'bar' > aptarchive/foo2 +msgtest 'aptwebserver instantly resets connection' 'on HTTP-only TLS' +# the reported error is currently (but that seems a bit brittle to check for explicitly): +# SSL connection failed: error:00000000:lib(0)::reason(0) / Connection reset by peer +testfailure --nomsg apthelper download-file "https://localhost:${APTHTTPPORT}/foo" './downloaded/foo' -o Acquire::Retries=0 + test_apt_helper_download() { msgmsg 'Test with' "$1" diff --git a/test/integration/test-apt-https-transient b/test/integration/test-apt-https-transient index f2b7347ba..9fd70942f 100755 --- a/test/integration/test-apt-https-transient +++ b/test/integration/test-apt-https-transient @@ -24,18 +24,17 @@ testfileequal httpfile 'alright' rm -f httpfile httpsfile # Speak wrong protocols (https on http port and vice versa). We check that they can be retried. - msgtest 'protocol negotiation error is transient for' 'https' -testfailureequal "Ign:1 https://localhost:${APTHTTPPORT}/working - Could not wait for server fd - select (11: Resource temporarily unavailable) -Err:1 https://localhost:${APTHTTPPORT}/working - Could not wait for server fd - select (11: Resource temporarily unavailable) -E: Failed to fetch https://localhost:${APTHTTPPORT}/working Could not wait for server fd - select (11: Resource temporarily unavailable) -E: Download Failed" apthelper download-file "https://localhost:${APTHTTPPORT}/working" httpfile -oAcquire::https::Timeout=1 -oAcquire::Retries=1 +testfailure --nomsg apthelper download-file "https://localhost:${APTHTTPPORT}/working" httpfile -oAcquire::https::Timeout=1 -oAcquire::Retries=1 +cp -a rootdir/tmp/testfailure.output httpsonhttp.output +# the error details produced seem a bit too internal to hardcode them here: +# SSL connection failed: error:00000000:lib(0)::reason(0) / Connection reset by peer +testsuccess grep "^Ign:1 https://localhost:${APTHTTPPORT}/working$" httpsonhttp.output +testsuccess grep "^Err:1 https://localhost:${APTHTTPPORT}/working$" httpsonhttp.output # Speak wrong protocols (https on http port and vice versa) msgtest 'protocol negotiation error is transient for' 'http' -testfailureequal "Ign:1 http://localhost:${APTHTTPSPORT}/working +testfailureequal --nomsg "Ign:1 http://localhost:${APTHTTPSPORT}/working Connection failed Err:1 http://localhost:${APTHTTPSPORT}/working Connection failed diff --git a/test/interactive-helper/aptwebserver.cc b/test/interactive-helper/aptwebserver.cc index e9882abd0..80a971e87 100644 --- a/test/interactive-helper/aptwebserver.cc +++ b/test/interactive-helper/aptwebserver.cc @@ -684,13 +684,34 @@ static void * handleClient(int const client, size_t const id) /*{{{*/ std::ofstream logfile(logfilepath); basic_teeostream<char> log(std::clog, logfile); - log << "ACCEPT client " << client << std::endl; bool closeConnection = false; + bool firstHandshake = true; + std::array<char, 2> handshake = {'\0', '\0' }; + if (not FileFd::Read(client, handshake.data(), handshake.size() * sizeof(decltype(handshake)::value_type))) + { + log << "READ ERROR handshake from client " << client << '\n'; + closeConnection = true; + } + // a TLS handshake packet starts with the type 0x16 and a two byte TLS version, + // but all versions start with 0x03 and TLS1.3 defines it as a legacy version + // hardcoding it to the TLS1.2 value of 0x03 0x03. + else if (handshake[0] == 0x16 && handshake[1] == 0x03) + { + log << "REFUSE TLS-handshaking client " << client << '\n'; + closeConnection = true; + } + else + log << "ACCEPT client " << client << '\n'; while (closeConnection == false) { std::vector<std::string> messages; if (ReadMessages(client, messages) == false) break; + if (firstHandshake && not messages.empty()) + { + messages.front().insert(0, handshake.data(), handshake.size()); + firstHandshake = false; + } std::list<std::string> headers; for (std::vector<std::string>::const_iterator m = messages.begin(); |
