From 4d0b0cd4c7ad6c21c384c1be96db6141377379fb Mon Sep 17 00:00:00 2001 From: Michael Brown Date: Fri, 27 Feb 2026 13:16:51 +0000 Subject: [PATCH] [tls] Respond to received closure alerts TLS defines a mechanism for gracefully closing a connection via a closure alert. We currently ignore this alert since it is a warning rather than an error, and warnings are allowed to be ignored. In almost all cases, a higher-level protocol such as HTTP will already give us the information required to know when the connection should be closed. In the very rare case of an HTTPS server that does not send a Content-Length header and does not close the TCP connection, only the closure alert indicates that the whole file has been retrieved. Handle a received closure alert by gracefully closing the connection. Reported-by: Tuomo Tanskanen Signed-off-by: Michael Brown --- src/include/ipxe/tls.h | 3 +++ src/net/tls.c | 12 ++++++++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/src/include/ipxe/tls.h b/src/include/ipxe/tls.h index 6985ae63f..4e5e25755 100644 --- a/src/include/ipxe/tls.h +++ b/src/include/ipxe/tls.h @@ -82,6 +82,9 @@ struct tls_header { #define TLS_ALERT_WARNING 1 #define TLS_ALERT_FATAL 2 +/* TLS alert descriptions */ +#define TLS_ALERT_CLOSE_NOTIFY 0 + /* TLS cipher specifications */ #define TLS_RSA_WITH_NULL_MD5 0x0001 #define TLS_RSA_WITH_NULL_SHA 0x0002 diff --git a/src/net/tls.c b/src/net/tls.c index 73d470221..d100b9daa 100644 --- a/src/net/tls.c +++ b/src/net/tls.c @@ -2060,8 +2060,16 @@ static int tls_new_alert ( struct tls_connection *tls, /* Handle alert */ switch ( alert->level ) { case TLS_ALERT_WARNING: - DBGC ( tls, "TLS %p received warning alert %d\n", - tls, alert->description ); + switch ( alert->description ) { + case TLS_ALERT_CLOSE_NOTIFY: + DBGC ( tls, "TLS %p closed by notification\n", tls ); + tls_close ( tls, 0 ); + break; + default: + DBGC ( tls, "TLS %p received warning alert %d\n", + tls, alert->description ); + break; + } return 0; case TLS_ALERT_FATAL: DBGC ( tls, "TLS %p received fatal alert %d\n",