diff options
author | sthen <sthen@openbsd.org> | 2020-01-20 22:10:27 +0000 |
---|---|---|
committer | sthen <sthen@openbsd.org> | 2020-01-20 22:10:27 +0000 |
commit | 714ef3dc86af565d633e12bc035ca4fca82bb6a0 (patch) | |
tree | bdaffec12eb58b86cff5b0ebe09f2e3bcad215f7 /usr.sbin/acme-client/http.c | |
parent | Add alerts to the tls 1.3 record layer and handshake layer (diff) | |
download | wireguard-openbsd-714ef3dc86af565d633e12bc035ca4fca82bb6a0.tar.xz wireguard-openbsd-714ef3dc86af565d633e12bc035ca4fca82bb6a0.zip |
Remove the tls_close warnx in acme-client. Currently it very often reports
a spurious "acme-client: tls_close: EOF without close notify" warning which
is plain confusing - it is a warning only, doesn't block anything, but when
people have some other failure (network problems, bad acme-challenge
path in webserver, etc) they often see this message and think that it's
relevant.
The libtls warning is there to detect truncation attacks in protocols
that don't have their own way to do so (e.g. HTTP/0.9). HTTP/1.0 or newer
have methods to do this (Content-Length or chunked transfer encoding);
acme-client doesn't check them yet and perhaps should. But that's a separate
issue, the warnx doesn't really help with this anyway, and it's unlikely
that a truncated json payload would be valid for acme-client parsing anyway.
OK florian@ benno@
Diffstat (limited to 'usr.sbin/acme-client/http.c')
-rw-r--r-- | usr.sbin/acme-client/http.c | 6 |
1 files changed, 1 insertions, 5 deletions
diff --git a/usr.sbin/acme-client/http.c b/usr.sbin/acme-client/http.c index 08731297d8f..17298814382 100644 --- a/usr.sbin/acme-client/http.c +++ b/usr.sbin/acme-client/http.c @@ -1,4 +1,4 @@ -/* $Id: http.c,v 1.28 2019/07/12 15:01:33 florian Exp $ */ +/* $Id: http.c,v 1.29 2020/01/20 22:10:27 sthen Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -194,10 +194,6 @@ http_disconnect(struct http *http) rc = tls_close(http->ctx); } while (rc == TLS_WANT_POLLIN || rc == TLS_WANT_POLLOUT); - if (rc < 0) - warnx("%s: tls_close: %s", http->src.ip, - tls_error(http->ctx)); - tls_free(http->ctx); } if (http->fd != -1) { |