That seems plausible , but isn’t the indication that things got a lot worse from v6.x to 7.x?
The half close logic is old, isn’t it? Did we change something into it in 7.x? — Leif > On Sep 2, 2018, at 07:35, Susan Hinrichs <[email protected]> wrote: > > Thinking on this some more, this sounds like bad interactions with the TCP > half closed logic in the state machine. If you are doing HTTP 1 over non-TLS, > it is legal for a client to send a FIN but then read more data that the > server sends. There is some logic to turn off this half close logic in > traffic server in inappropriate cases but it is not perfect and has varied > over time. > > Earlier this year there was a PR to add a knob to turn off this behavior, but > I don't know where it landed. I will check that out when I get back to the > office. > > Susan > >> On Sat, Sep 1, 2018, 5:56 PM Susan Hinrichs <[email protected]> wrote: >> Yes, ATS should respond with close notify or at least FIN the connection. >> What version of ATS are you seeing this with? >> >> If there was already an application data packet in flight, it may arrive >> after the client sends the close notify. But in general ATS should shut down >> the connection. >> >>> On Fri, Aug 31, 2018, 11:31 PM Jeremy Payne <[email protected]> wrote: >>> Context: >>> >>> Openssl 102k >>> ATS 714 >>> >>> I notice that at times a client will send a TLS 1.2 close-notify, >>> immediately followed by a FIN-ACK. Which seems to be following spec. >>> >>> "It is not required for the initiator of the close to wait for the >>> responding close_notify alert before >>> closing the read side of the connection." >>> >>> >>> However, in response, ATS continuous to send 'application data' >>> instead of issuing its own TLS 1.2 close-notify. Which then results in >>> connections lingering waiting for an ACK back from the client. >>> Which will never come, since per spec: >>> >>> "Any data received after a closure alert is ignored." >>> >>> >>> Is ATS still within TLS 1.2 spec by continuing to send application >>> data, even though the client sent a close notify ? >>> >>> I tested some other https servers compiled against openssl 102k, and I >>> see a close notify sent by the client, with the https server >>> responding with it's own close notify. >>> >>> Thanks!
