| Age | Commit message (Collapse) | Author |
|---|
|
When TLS 1.3 is used and `fail_if_no_peer_cert` (or equivalent)
is configured on the server, such as in mTLS scenarios, and
the client certificate is missing or invalid, the TLS 1.3 alert
will be sent after the handshake has completed.
The same is true for post-handshake authentication in TLS 1.3
which Erlang/OTP doesn't yet support, but will at some point in
the future.
Due to the asynchronous nature of some `ssl` socket operations,
such as sending, the alert may not always be returned from a
socket call. When the ssl socket is active we would receive
it as a message instead, so when Gun gets `{error,closed}`
it must look for the active message and see if an alert
occurred. When the ssl socket is passive we don't, so we
must query the socket for it (trying to set the socket active
at that point gets us the alert in the return value). There
is a span between handshake and the initial active mode set
where the socket is passive and may send data (the HTTP/2
preface) so we must account for both cases.
Because we sometimes have to wait for the alert as a message,
and we don't want to wait for a very long time (200ms), we
sometimes may lose the alert. Perhaps in the future this wait
time can be made configurable for users that really require
getting the alert.
The tests are only enabled on Linux because other OSes have
intermittent failures (likely due to timing).
|
|
|
|
Otherwise garbage gets sent.
|
|
|
|
|
|
|
|
Signed-off-by: Viktor Söderqvist <[email protected]>
|
|
In order to simplify the implementation the CookieStore is
given to the connect function now, even though it's not
currently used.
|
|
If the limit has been reached, new requests are failed immediately,
so that the application can retry them on a different connection.
Co-authored-by: Björn Svensson <[email protected]>
|
|
LH: Minor tweaks.
|
|
LH: I have fixed types, extended tests and tweaked a bit.
|
|
|
|
|
|
|
|
|
|
|
|
Depending on the environment the send buffer may not be
configured as low as we want, so the test will take longer.
|
|
Also "fix" many TLS test failures due to yet more changes
in the default options for TLS.
Also small changes to make Dialyzer happy.
|
|
And ensure that we don't infinite loop when retries are
enabled, by decrementing the retry count instead of using
a new one.
Also check for ssl:negotiated_protocol {error,closed}
which was possible but was not documented in OTP before
this change.
Thanks @voluntas for the help.
|
|
|
|
|
|
|
|
This is to avoid the TCP close eating data.
|
|
|
|
|
|
|
|
The number of unacknowledged pings that can be tolerated
before the connection is forcefully closed.
When a keepalive ping is sent to the peer, a counter is
incremented and if this counter exceeds the tolerance limit,
the connection is forcefully closed. The counter is
decremented whenever a ping ack is received from the peer.
By default, the mechanism for closing the connection based
on ping and ping ack is disabled.
Loïc Hoguin: I have edited a lot of the code and renamed
a few things as well as simplified the docs and increased
test timeouts to avoid race conditions.
|
|
|
|
We leave the pool in a degraded state if the configuration
given is invalid and a lookup/connect can't be made.
|
|
|
|
Loïc: I have reworded a couple things and reordered the tests.
It would be great to also test these things over proxies.
|
|
|
|
|
|
|
|
|
|
The http-state tests were removed and replaced with
tests in HTML pages. I have devised a way to semi-
automatically import them and test them.
Additional fixes were made following changes in
the rfc6265bis draft.
|
|
|
|
|
|
Amended to make the test case hit the problem.
|
|
|
|
|
|
|
|
The approach taken here is very similar to what browsers are
doing. A separate pool is created for each host/port/scope.
The authority (host header) is used to determine which pool
will execute requests. A connection process is semi-randomly
chosen, from the connections that have capacity. Maximum
capacity is determined by the protocol (the HTTP/2 setting
set by the server is used, for example). Multiple processes
can process requests/responses on the same connection
concurrently. There is no need to "give back" the response
to the pool, the number of ongoing streams is maintained via
an event handler.
The implementation is currently not strict, there may be
more attempts to create requests than there is capacity.
I'm not sure if it should be made strict or if Gun should
just wait before sending requests (it only matters in the
HTTP/2 case at the moment).
When there is no connection with capacity available in the
pool (because they have too many streams, or are reconnecting,
or any other reason), checking out fails. There is no timeout
to wait for a connection to be available. On the other hand
the checkout_retry option allows setting multiple timeouts
to retry checking out a connection. Each retry attempt's
wait time can have a different value.
The initial implementation of this work was sponsored by
Kobil and made at the suggestion of Ilya Khaprov.
|
|
I've made some more test timeouts infinity in order
to fix additional intermittent issues that popped up.
|
|
|
|
If a request/headers/connect/ws_upgrade is created when a connection is in state
'closing', such as after receiving an HTTP/2 GOAWAY frame or an HTTP/1.1
"Connection: close" header, an error message is sent back to the caller
immediately, if reconnect is off (that is if the option retry is set to 0).
This allows an application to retry the request on another connection without
waiting for all streams on the current connection to complete.
|
|
|
|
Switching from /2 to /3 should be easy enough.
Also update the documentation about HTTP/2 Websocket support.
|
|
|
|
The main source file for the test tool h2specd was moved a
time ago, but correct one is used now.
Also make sure that gun sends the GOAWAY directly to avoid
timing issues in test 6.9.1 in h2specd_SUITE.
|
