Close transport after sending close_notify in TLSv1.2

See MagicStack#471 for details.
fantix · Oct 1, 2022 · 5f18f73 · 5f18f73
1 parent afb3268
commit 5f18f73
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 2 deletions.
diff --git a/uvloop/includes/consts.pxi b/uvloop/includes/consts.pxi
@@ -20,6 +20,5 @@ DEF LOG_THRESHOLD_FOR_CONNLOST_WRITES = 5
 # The default timeout matches that of Nginx.
 DEF SSL_HANDSHAKE_TIMEOUT = 60.0
 # Number of seconds to wait for SSL shutdown to complete
-# The default timeout mimics lingering_time
-DEF SSL_SHUTDOWN_TIMEOUT = 30.0
+DEF SSL_SHUTDOWN_TIMEOUT = 10.0
 DEF SSL_READ_MAX_SIZE = 256 * 1024
diff --git a/uvloop/sslproto.pxd b/uvloop/sslproto.pxd
@@ -84,6 +84,8 @@ cdef class SSLProtocol:
         object _handshake_timeout_handle
         object _shutdown_timeout_handle
 
+        str _ssl_version
+
     cdef _set_app_protocol(self, app_protocol)
     cdef _wakeup_waiter(self, exc=*)
     cdef _get_extra_info(self, name, default=*)

diff --git a/uvloop/sslproto.pyx b/uvloop/sslproto.pyx
@@ -536,6 +536,7 @@ cdef class SSLProtocol:
                            cipher=sslobj.cipher(),
                            compression=sslobj.compression(),
                            ssl_object=sslobj)
+        self._ssl_version = sslobj.version()
         if self._app_state == STATE_INIT:
             self._app_state = STATE_CON_MADE
             self._app_protocol.connection_made(self._get_app_transport())
@@ -585,6 +586,9 @@ cdef class SSLProtocol:
         """
         cdef:
             bint close_notify = False
+        if self._app_state == STATE_EOF:
+            # close_notify was already received
+            return
         try:
             while True:
                 if not self._sslobj_read(SSL_READ_MAX_SIZE):
@@ -626,6 +630,11 @@ cdef class SSLProtocol:
                 self._sslobj.unwrap()
             except ssl_SSLAgainErrors as exc:
                 self._process_outgoing()
+                if self._ssl_version != "TLSv1.3":
+                    # don't wait for close_notify from the peer in TLSv1.2 or
+                    # lower to conform with widespread implementation practice
+                    if not self._get_write_buffer_size():
+                        self._on_shutdown_complete(None)
             else:
                 self._process_outgoing()
                 if not self._get_write_buffer_size():