Netty sends TCP-RST instead of TCP-FIN
See original GitHub issueExpected behavior
We are using netty for our Https server. We have a case where a client sends a Https Request and uses an Invalid Certificate for SSL Handshake. Server should send a Handshake Failure TLS Alert with 3-state TCP-FIN packet
Actual behavior
Server sends a Handshake Failure TLS Alert but instead of TCP-FIN server sends a TCP-RST. The Server TCP-RST acts destructively because it potentially destroys the unprocessed TLS message in the receive buffer of its TCP peer. See wireshark trace snapshot
Steps to reproduce
Setup a simple Https Server with keystore and truststore. Configure a Https Client with keystore(with a certificate that is not trust-able by server) and truststore
Netty version
4.1.6.Final
JVM version (e.g. java -version
)
1.8.0-u121
OS version (e.g. uname -a
)
CentOS Linux version 7
Issue Analytics
- State:
- Created 6 years ago
- Reactions:1
- Comments:41 (18 by maintainers)
Top Results From Across the Web
Netty socket.shutdownOutput() equivalent to avoid TCP RST?
The problem is: Remaining data in the receive buffer causes Linux (or Java..) to flag the TCP packets with the RST flag. This...
Read more >TCP FIN vs RST Packets- Know the Difference - IP With Ease
An RST packet is sent either in the middle of the 3-way handshake when the server rejects the connection or is unavailable OR...
Read more >Finagle / Netty and RST - Google Groups
Our services are running behind HAProxy which is setup in http-server-close mode meaning that it will open a new connection to the finagle...
Read more >TCP: Differences Between FIN and RST - Baeldung
I won't say anything to you, and I won't listen to anything from you”. In practice, an RST message enables the entity that...
Read more >Reactor Netty Reference Guide
reactor-netty-examples/src/main/java/reactor/netty/examples/documentation/tcp/server/send/Application.java. import reactor.core.publisher.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Netty doesn’t implement TCP and therefore doesn’t explicitly send a TCP RST nor a TCP FIN. Netty calls
close
and the underlying TCP stack determines what is “appropriate”. What is appropriate may vary depending on the underlying implementation of TCP (the RFC allows some wiggle room with theSHOULD
language https://github.com/netty/netty/issues/6818#issuecomment-314493013).Netty may attempt to read data before the close and drain any pending data. However this approach is racy (what if data still arrives after we read but before we call
close()
) and introduces heuristics (how long should we read and wait to call close). I don’t think we want to want to go down this road to “fix” something which I’m not convinced is an issue in the first place (this is allowed by the TCP RFCs).As described in https://github.com/netty/netty/issues/6818#issuecomment-313143309 I did follow these steps and my client (curl) was able to correctly process the alert despite a RST being sent (see screen shots and description in my comment). The client should be able to read the alert regardless of FIN or RST being the next packet.
While it may not be related to the original report pay attention if you are running your application behind an AWS NLB https://medium.com/tenable-techblog/lessons-from-aws-nlb-timeouts-5028a8f65dda