|
|
b406c6 |
From bdb1ca45454d90410031c4c2054005a995f76180 Mon Sep 17 00:00:00 2001
|
|
|
b406c6 |
From: Zdenek Dohnal <zdohnal@redhat.com>
|
|
|
b406c6 |
Date: Wed, 6 Apr 2022 15:04:45 +0200
|
|
|
b406c6 |
Subject: [PATCH] cups/tls-gnutls.c: Use always GNUTLS_SHUT_WR
|
|
|
b406c6 |
|
|
|
b406c6 |
The current mode for `gnutls_bye()` in client use cases strictly
|
|
|
b406c6 |
follows TLS v1.2 standard, which in this particular part says:
|
|
|
b406c6 |
|
|
|
b406c6 |
```
|
|
|
b406c6 |
Unless some other fatal alert has been transmitted, each party is
|
|
|
b406c6 |
required to send a close_notify alert before closing the write
|
|
|
b406c6 |
side of the connection. The other party MUST respond with a
|
|
|
b406c6 |
close_notify alert of its own and close down the connection immediately,
|
|
|
b406c6 |
discarding any pending writes. It is not required for the initiator
|
|
|
b406c6 |
of the close to wait for the responding close_notify alert before
|
|
|
b406c6 |
closing the read side of the connection.
|
|
|
b406c6 |
```
|
|
|
b406c6 |
|
|
|
b406c6 |
and waits for the other side of TLS connection to confirm the close.
|
|
|
b406c6 |
|
|
|
b406c6 |
Unfortunately it can undesired for reasons:
|
|
|
b406c6 |
- we support switching of TLS versions in CUPS, and this mode strictly
|
|
|
b406c6 |
follows TLS v1.2 - so for older version this behavior is not expected
|
|
|
b406c6 |
and can cause delays
|
|
|
b406c6 |
- even some TLS v1.2 implementations (like Windows Server 2016) don't
|
|
|
b406c6 |
comply TLS v1.2 behavior even if it says it does - in that case,
|
|
|
b406c6 |
encrypted printing takes 30s till HTTP timeout is reached, because the
|
|
|
b406c6 |
other side didn't send confirmation
|
|
|
b406c6 |
- AFAIU openssl's SSL_shutdown() doesn't make this TLS v1.2 difference,
|
|
|
b406c6 |
so we could end up with two TLS implementations in CUPS which will
|
|
|
b406c6 |
behave differently
|
|
|
b406c6 |
|
|
|
b406c6 |
Since the standard defines that waiting for confirmation is not required
|
|
|
b406c6 |
and due the problems above, I would propose using GNUTLS_SHUT_WR mode
|
|
|
b406c6 |
regardless of HTTP mode.
|
|
|
b406c6 |
---
|
|
|
b406c6 |
cups/tls-gnutls.c | 2 +-
|
|
|
b406c6 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
b406c6 |
|
|
|
b406c6 |
diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c
|
|
|
b406c6 |
index c55995b2b..f87b4f4df 100644
|
|
|
b406c6 |
--- a/cups/tls-gnutls.c
|
|
|
b406c6 |
+++ b/cups/tls-gnutls.c
|
|
|
b406c6 |
@@ -1667,7 +1667,7 @@ _httpTLSStop(http_t *http) /* I - Connection to server */
|
|
|
b406c6 |
int error; /* Error code */
|
|
|
b406c6 |
|
|
|
b406c6 |
|
|
|
b406c6 |
- error = gnutls_bye(http->tls, http->mode == _HTTP_MODE_CLIENT ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
|
|
|
b406c6 |
+ error = gnutls_bye(http->tls, GNUTLS_SHUT_WR);
|
|
|
b406c6 |
if (error != GNUTLS_E_SUCCESS)
|
|
|
b406c6 |
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, gnutls_strerror(errno), 0);
|
|
|
b406c6 |
|
|
|
b406c6 |
--
|
|
|
b406c6 |
2.35.1
|
|
|
b406c6 |
|