Fix x509 server handshake error handling#139
Merged
chucklever merged 2 commits intooracle:mainfrom Feb 5, 2026
Merged
Conversation
After gnutls_init() succeeds, the error paths for gnutls_credentials_set() and tlshd_gnutls_priority_set() failures jump to out_free_certs without calling gnutls_deinit(session), leaking the session object. Introduce an out_deinit_session label so all post-init error paths properly release the session before cleaning up certificates and credentials. Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Currently if a client attempts an x.509 handshake and the server is misconfigured (no certificates, no private keys, etc), the server simply closes the connection. Prior to b010190 ("tlshd: Pass ETIMEDOUT from gnutls to kernel"), this would result in a quick failure on the client. Now the client keeps retrying until the mount program times out, which takes several minutes. A misconfigured server isn't a self-correcting problem, so send a fatal alert to the client when this occurs so the client stops retrying immediately. This requires some minor refactoring of tlshd_tls13_server_x509_handshake() so that the session is initialized before attempting to load the certs and keys (otherwise it is not possible to send an alert). Also log an error message to help the admin take corrective action. Finally add some logging when an alert is received during the handshake. Following suit with handshake completions, alerts will only be logged if debug logging is enabled. Signed-off-by: Scott Mayhew <smayhew@redhat.com> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
tlshd_gnutls_priority_set() fail during x509 server handshake
(missing certificates, private keys, or trust store), so clients
fail immediately instead of retrying until the mount times out
for server misconfigurations to help admins take corrective action