summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Kalnischkies <david@kalnischkies.de>2026-02-05 21:18:40 +0000
committerDavid Kalnischkies <david@kalnischkies.de>2026-06-10 13:07:30 +0000
commit49e91b96d9faeca50ab0b212174744938d446132 (patch)
tree6b31bc0201214aa2d10a51b2edbf30032fa49889
parent5b49a25a292dd3ed2355fadaca68753a72eb2422 (diff)
aptwebserver: Refuse client immediately on TLS handshake
We implement a HTTP-only server here (that is wrapped by stunnel for HTTPS support), so if a TLS handshake reaches us it is always wrong and we can just close the connection immediately instead of accepting it and letting the client run into a timeout as we will never receive the message(s) we expect. This happens e.g. with browsers like Firefox that opportunistically try https first (even if you ask for http and specify a port).
-rwxr-xr-xtest/integration/test-apt-helper5
-rwxr-xr-xtest/integration/test-apt-https-transient15
-rw-r--r--test/interactive-helper/aptwebserver.cc23
3 files changed, 34 insertions, 9 deletions
diff --git a/test/integration/test-apt-helper b/test/integration/test-apt-helper
index 4f883b440..7c16d291e 100755
--- a/test/integration/test-apt-helper
+++ b/test/integration/test-apt-helper
@@ -12,6 +12,11 @@ changetohttpswebserver
echo 'foo' > aptarchive/foo
echo 'bar' > aptarchive/foo2
+msgtest 'aptwebserver instantly resets connection' 'on HTTP-only TLS'
+# the reported error is currently (but that seems a bit brittle to check for explicitly):
+# SSL connection failed: error:00000000:lib(0)::reason(0) / Connection reset by peer
+testfailure --nomsg apthelper download-file "https://localhost:${APTHTTPPORT}/foo" './downloaded/foo' -o Acquire::Retries=0
+
test_apt_helper_download() {
msgmsg 'Test with' "$1"
diff --git a/test/integration/test-apt-https-transient b/test/integration/test-apt-https-transient
index f2b7347ba..9fd70942f 100755
--- a/test/integration/test-apt-https-transient
+++ b/test/integration/test-apt-https-transient
@@ -24,18 +24,17 @@ testfileequal httpfile 'alright'
rm -f httpfile httpsfile
# Speak wrong protocols (https on http port and vice versa). We check that they can be retried.
-
msgtest 'protocol negotiation error is transient for' 'https'
-testfailureequal "Ign:1 https://localhost:${APTHTTPPORT}/working
- Could not wait for server fd - select (11: Resource temporarily unavailable)
-Err:1 https://localhost:${APTHTTPPORT}/working
- Could not wait for server fd - select (11: Resource temporarily unavailable)
-E: Failed to fetch https://localhost:${APTHTTPPORT}/working Could not wait for server fd - select (11: Resource temporarily unavailable)
-E: Download Failed" apthelper download-file "https://localhost:${APTHTTPPORT}/working" httpfile -oAcquire::https::Timeout=1 -oAcquire::Retries=1
+testfailure --nomsg apthelper download-file "https://localhost:${APTHTTPPORT}/working" httpfile -oAcquire::https::Timeout=1 -oAcquire::Retries=1
+cp -a rootdir/tmp/testfailure.output httpsonhttp.output
+# the error details produced seem a bit too internal to hardcode them here:
+# SSL connection failed: error:00000000:lib(0)::reason(0) / Connection reset by peer
+testsuccess grep "^Ign:1 https://localhost:${APTHTTPPORT}/working$" httpsonhttp.output
+testsuccess grep "^Err:1 https://localhost:${APTHTTPPORT}/working$" httpsonhttp.output
# Speak wrong protocols (https on http port and vice versa)
msgtest 'protocol negotiation error is transient for' 'http'
-testfailureequal "Ign:1 http://localhost:${APTHTTPSPORT}/working
+testfailureequal --nomsg "Ign:1 http://localhost:${APTHTTPSPORT}/working
Connection failed
Err:1 http://localhost:${APTHTTPSPORT}/working
Connection failed
diff --git a/test/interactive-helper/aptwebserver.cc b/test/interactive-helper/aptwebserver.cc
index e9882abd0..80a971e87 100644
--- a/test/interactive-helper/aptwebserver.cc
+++ b/test/interactive-helper/aptwebserver.cc
@@ -684,13 +684,34 @@ static void * handleClient(int const client, size_t const id) /*{{{*/
std::ofstream logfile(logfilepath);
basic_teeostream<char> log(std::clog, logfile);
- log << "ACCEPT client " << client << std::endl;
bool closeConnection = false;
+ bool firstHandshake = true;
+ std::array<char, 2> handshake = {'\0', '\0' };
+ if (not FileFd::Read(client, handshake.data(), handshake.size() * sizeof(decltype(handshake)::value_type)))
+ {
+ log << "READ ERROR handshake from client " << client << '\n';
+ closeConnection = true;
+ }
+ // a TLS handshake packet starts with the type 0x16 and a two byte TLS version,
+ // but all versions start with 0x03 and TLS1.3 defines it as a legacy version
+ // hardcoding it to the TLS1.2 value of 0x03 0x03.
+ else if (handshake[0] == 0x16 && handshake[1] == 0x03)
+ {
+ log << "REFUSE TLS-handshaking client " << client << '\n';
+ closeConnection = true;
+ }
+ else
+ log << "ACCEPT client " << client << '\n';
while (closeConnection == false)
{
std::vector<std::string> messages;
if (ReadMessages(client, messages) == false)
break;
+ if (firstHandshake && not messages.empty())
+ {
+ messages.front().insert(0, handshake.data(), handshake.size());
+ firstHandshake = false;
+ }
std::list<std::string> headers;
for (std::vector<std::string>::const_iterator m = messages.begin();