Abort TLS transport on session verification failure#3323
Open
He-Pin wants to merge 1 commit into
Open
Conversation
pjfanning
reviewed
Jul 13, 2026
7b342cb to
b08e5e4
Compare
Motivation: When TLS session verification fails, the transport did not properly abort, leaving the connection in an inconsistent state that could lead to security issues or hangs. Modification: - Abort the TLS transport immediately on session verification failure - Address review feedback on error handling Result: TLS connections are properly torn down when session verification fails, preventing potential security issues. Tests: - Existing TLS transport tests References: Fixes apache#3245
b08e5e4 to
66c0a59
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
A failed post-handshake session verifier was handled as if the
SSLEngineitself had failed. When the verifier returned anSSLException, the GraphStage TLS implementation caught it in the engine failure path and calledcloseOutbound(). Because the handshake had already succeeded and there was no pending fatal alert, this generatedclose_notifyand completed the transport gracefully instead of aborting it.Engine-originated handshake failures are intentionally left unchanged: those paths must continue wrapping and flushing pending fatal alerts such as
certificate_unknown.Modification
verifySessionresult as an explicit TLS stage failure.if/elsecontrol flow rather than a non-local return.Result
Post-handshake session verification failures now abort the transport with the original exception. The GraphStage behavior matches the legacy TLS actor, while engine-originated TLS failures continue to flush their fatal alerts.
Tests
stream-tests / Test / testOnly org.apache.pekko.stream.io.TlsGraphStageSpec— 113 passedstream-tests / Test / testOnly org.apache.pekko.stream.io.TlsSpec— 113 passedstream-tests / Test / testOnly org.apache.pekko.stream.io.TlsGraphStageDeferredCloseSpec— 3 passedstream-tests / Test / testOnly org.apache.pekko.stream.io.TlsGraphStageIsolatedSpec— 7 passed+mimaReportBinaryIssues— passed for Scala 2.13 and Scala 3checkCodeStyle— passed+headerCheckAll— passedscalafmt --list --mode diff-ref=origin/main— passedgit diff --check origin/main...HEAD— passedvalidatePullRequest— not run per request; focused TLS, compatibility, style, and header checks above were runReferences
Refs #3245