Skip closing an initializing connection

cmurphy · cmurphy · commit 18f90207561d · 2021-10-25T10:20:39.000-07:00
Without this change, if a cert is updated (e.g. to add CNs) while the
listener is in the middle of Accept()ing a new connection, the
connection gets dropped, we'll see a message like this in the server
logs:

  http: TLS handshake error from 127.0.0.1:51232: write tcp 127.0.7.1:8443-&gt;127.0.0.1:51232: use of closed network connection

and the client (like a browser) won't necessarily reconnect. This change
modifies the GetCertificate routine in the listener's tls.Config to
keep track of the state of the incoming connections and only close
connections that have completed GetCertificate and therefore are
finished with their TLS handshake, so that only old established
connections are closed.
diff --git a/listener.go b/listener.go
@@ -275,8 +275,9 @@ func (l *listener) wrap(conn net.Conn) net.Conn {
 
 type closeWrapper struct {
 	net.Conn
-	id int
-	l  *listener
+	id   int
+	l    *listener
+	cert *tls.Certificate
 }
 
 func (c *closeWrapper) close() error {
@@ -291,13 +292,14 @@ func (c *closeWrapper) Close() error {
 }
 
 func (l *listener) getCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	newConn := hello.Conn
 	if hello.ServerName != "" {
 		if err := l.updateCert(hello.ServerName); err != nil {
 			return nil, err
 		}
 	}
 
-	return l.loadCert()
+	return l.loadCert(newConn.(*closeWrapper))
 }
 
 func (l *listener) updateCert(cn ...string) error {
@@ -339,7 +341,7 @@ func (l *listener) updateCert(cn ...string) error {
 	return nil
 }
 
-func (l *listener) loadCert() (*tls.Certificate, error) {
+func (l *listener) loadCert(currentConn *closeWrapper) (*tls.Certificate, error) {
 	l.RLock()
 	defer l.RUnlock()
 
@@ -373,11 +375,17 @@ func (l *listener) loadCert() (*tls.Certificate, error) {
 	if l.conns != nil && l.cert != nil {
 		l.connLock.Lock()
 		for _, conn := range l.conns {
+			// Don't close a connection that's in the middle of completing a TLS handshake
+			if conn.cert == nil {
+				continue
+			}
 			_ = conn.close()
 		}
 		l.connLock.Unlock()
 	}
 
+	l.conns[currentConn.id].cert = &cert
+
 	l.cert = &cert
 	l.version = secret.ResourceVersion
 	return l.cert, nil

Original file line number	Diff line number	Diff line change
`@@ -275,8 +275,9 @@ func (l *listener) wrap(conn net.Conn) net.Conn {`
`275`	`275`
`276`	`276`	`type closeWrapper struct {`
`277`	`277`	`net.Conn`
`278`		`- id int`
`279`		`- l *listener`
	`278`	`+ id int`
	`279`	`+ l *listener`
	`280`	`+ cert *tls.Certificate`
`280`	`281`	`}`
`281`	`282`
`282`	`283`	`func (c *closeWrapper) close() error {`
`@@ -291,13 +292,14 @@ func (c *closeWrapper) Close() error {`
`291`	`292`	`}`
`292`	`293`
`293`	`294`	`func (l listener) getCertificate(hello tls.ClientHelloInfo) (*tls.Certificate, error) {`
	`295`	`+ newConn := hello.Conn`
`294`	`296`	`if hello.ServerName != "" {`
`295`	`297`	`if err := l.updateCert(hello.ServerName); err != nil {`
`296`	`298`	`return nil, err`
`297`	`299`	`}`
`298`	`300`	`}`
`299`	`301`
`300`		`- return l.loadCert()`
	`302`	`+ return l.loadCert(newConn.(*closeWrapper))`
`301`	`303`	`}`
`302`	`304`
`303`	`305`	`func (l *listener) updateCert(cn ...string) error {`
`@@ -339,7 +341,7 @@ func (l *listener) updateCert(cn ...string) error {`
`339`	`341`	`return nil`
`340`	`342`	`}`
`341`	`343`
`342`		`-func (l listener) loadCert() (tls.Certificate, error) {`
	`344`	`+func (l listener) loadCert(currentConn closeWrapper) (*tls.Certificate, error) {`
`343`	`345`	`l.RLock()`
`344`	`346`	`defer l.RUnlock()`
`345`	`347`
`@@ -373,11 +375,17 @@ func (l listener) loadCert() (tls.Certificate, error) {`
`373`	`375`	`if l.conns != nil && l.cert != nil {`
`374`	`376`	`l.connLock.Lock()`
`375`	`377`	`for _, conn := range l.conns {`
	`378`	`+ // Don't close a connection that's in the middle of completing a TLS handshake`
	`379`	`+ if conn.cert == nil {`
	`380`	`+ continue`
	`381`	`+ }`
`376`	`382`	`_ = conn.close()`
`377`	`383`	`}`
`378`	`384`	`l.connLock.Unlock()`
`379`	`385`	`}`
`380`	`386`
	`387`	`+ l.conns[currentConn.id].cert = &cert`
	`388`	`+`
`381`	`389`	`l.cert = &cert`
`382`	`390`	`l.version = secret.ResourceVersion`
`383`	`391`	`return l.cert, nil`