From 49e91b96d9faeca50ab0b212174744938d446132 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Thu, 5 Feb 2026 21:18:40 +0000 Subject: aptwebserver: Refuse client immediately on TLS handshake We implement a HTTP-only server here (that is wrapped by stunnel for HTTPS support), so if a TLS handshake reaches us it is always wrong and we can just close the connection immediately instead of accepting it and letting the client run into a timeout as we will never receive the message(s) we expect. This happens e.g. with browsers like Firefox that opportunistically try https first (even if you ask for http and specify a port). --- test/integration/test-apt-helper | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'test/integration/test-apt-helper') diff --git a/test/integration/test-apt-helper b/test/integration/test-apt-helper index 4f883b440..7c16d291e 100755 --- a/test/integration/test-apt-helper +++ b/test/integration/test-apt-helper @@ -12,6 +12,11 @@ changetohttpswebserver echo 'foo' > aptarchive/foo echo 'bar' > aptarchive/foo2 +msgtest 'aptwebserver instantly resets connection' 'on HTTP-only TLS' +# the reported error is currently (but that seems a bit brittle to check for explicitly): +# SSL connection failed: error:00000000:lib(0)::reason(0) / Connection reset by peer +testfailure --nomsg apthelper download-file "https://localhost:${APTHTTPPORT}/foo" './downloaded/foo' -o Acquire::Retries=0 + test_apt_helper_download() { msgmsg 'Test with' "$1" -- cgit v1.2.3-70-g09d2