Envoy Server drops the connection on Windows when the client certificate is invalid #13191
Comments
|
@PiotrSikora may be can suggest further steps |
|
10054 is However, TLS implements graceful shutdown via Does this happen with production code or only in this particular test? |
|
Here is the wireshark packet dump from the handshake on Windows:
|
|
I can get the tests involving invalid certs to pass by just placing a It seems that when there is an invalid cert, SSL_shutdown does not occur as the connection state is not marked as "in progress" or "complete" the connection is torn down without doing a proper shutdown so the client gets connection reset, as the data of the alert remains unread |
|
Working on a PR, there a couple other small issues in the test setup etc. but shouldn't be too hard to fix |
|
See #13264 |
Title: Envoy Server drops the connection on Windows when the client certificate is invalid
Description:
When the client certificate is invalid the behavior on Windows and UNIX is different. On Linux (correct behavior) it notifies back the client and on Windows it just drops the connection.
Information provided by:
SSL_CTX_set_info_callback(ctx.ssl_ctx_.get(), apps_ssl_info_callback);:On linux the alert that is raised is:
SSL error[undefined][TLS client read_session_ticket]: ret: 557 alert type fatal alert desc certificate expiredOn Windows the alert that is raised is:
SSL error[SSL_connect][TLS client read_session_ticket]: ret: -1 alert type unknown alert desc unknownRepro steps:
Run the test case
FailedClientCertificateExpirationVerificationin//test/extensions/transport_sockets/tls:ssl_socket_testcc: @envoyproxy/windows-dev
The text was updated successfully, but these errors were encountered: