[tls] Respond to received closure alerts

TLS defines a mechanism for gracefully closing a connection via a closure alert. We currently ignore this alert since it is a warning rather than an error, and warnings are allowed to be ignored. In almost all cases, a higher-level protocol such as HTTP will already give us the information required to know when the connection should be closed. In the very rare case of an HTTPS server that does not send a Content-Length header and does not close the TCP connection, only the closure alert indicates that the whole file has been retrieved. Handle a received closure alert by gracefully closing the connection. Reported-by: Tuomo Tanskanen <tuomo.tanskanen@est.tech> Signed-off-by: Michael Brown <mcb30@ipxe.org>
2026-05-04 03:03:43 +03:00 · 2026-02-27 13:16:51 +00:00
parent efe8126372
commit 4d0b0cd4c7
2 changed files with 13 additions and 2 deletions
@@ -82,6 +82,9 @@ struct tls_header {
 #define TLS_ALERT_WARNING 1
 #define TLS_ALERT_FATAL 2

+/* TLS alert descriptions */
+#define TLS_ALERT_CLOSE_NOTIFY 0
+
 /* TLS cipher specifications */
 #define TLS_RSA_WITH_NULL_MD5 0x0001
 #define TLS_RSA_WITH_NULL_SHA 0x0002
@@ -2060,8 +2060,16 @@ static int tls_new_alert ( struct tls_connection *tls,
 	/* Handle alert */
 	switch ( alert->level ) {
 	case TLS_ALERT_WARNING:
-		DBGC ( tls, "TLS %p received warning alert %d\n",
-		       tls, alert->description );
+		switch ( alert->description ) {
+		case TLS_ALERT_CLOSE_NOTIFY:
+			DBGC ( tls, "TLS %p closed by notification\n", tls );
+			tls_close ( tls, 0 );
+			break;
+		default:
+			DBGC ( tls, "TLS %p received warning alert %d\n",
+			       tls, alert->description );
+			break;
+		}
 		return 0;
 	case TLS_ALERT_FATAL:
 		DBGC ( tls, "TLS %p received fatal alert %d\n",