tornado icon indicating copy to clipboard operation
tornado copied to clipboard

Published 20 hours ago verified publisher icon tornadoweb

Unsuccessful TLS handshake leaking connections

Open zejn opened this issue 5 years ago • 0 comments

Tornado's IOStream.start_tls leaks connections when the handshake starts but does not complete. The AsyncHTTPClient returns "HTTP 599: Timeout while connecting", but the underlying connection is not closed.

This can be reproduced quite easily: start a netcat to listen on 127.0.0.1:9000 and run the attached example with "ssl_leak.py http" or "ssl_leak.py https" to observe different behaviors. HTTP closes the connection (and netcat exits), while HTTPS keeps the connection up even after the request errors.

ssl_leak.py.txt

I've observed this behavior with

OpenSSL: OpenSSL 1.1.0f 25 May 2017 Python: 3.5.3 (default, Jan 19 2017, 14:11:04) [GCC 6.3.0 20170124] Tornado: 4.5.3

and

OpenSSL: OpenSSL 1.1.1d 10 Sep 2019 Python: 3.7.3 (default, Apr 3 2019, 05:39:12) [GCC 8.3.0] Tornado: 6.0.3

I've confirmed this is an issue in start_tls with a "fix", but this fix includes a timeout, which is currently hardcoded. This timeout value might need to be somehow passed into start_tls, but the start_tls is hidden quite deep.

iostream_tls_leak_fix.diff.txt

zejn avatar Dec 05 '19 10:12 zejn