xpra icon
Bug tracker and wiki

Opened 3 weeks ago

Closed 2 weeks ago

#1927 closed defect (fixed)

proxy "cannot steal a closed connection" with ssl sockets

Reported by: Antoine Martin Owned by: Antoine Martin
Priority: critical Milestone: 2.4
Component: network Version: 2.3.x
Keywords: Cc:

Description

Server started with:

sudo /usr/bin/python2 /usr/bin/xpra proxy :14500 \
    --daemon=no --tcp-auth=sys --socket-dirs=/tmp --socket-permissions=666 \
    --log-dir=/var/log --pidfile=/run/xpra.pid \
    --bind-tcp=0.0.0.0:14500 --ssl=on --ssl-cert=./cert.pem

Then an HTML5 client connecting using https requests a new session (ie: start-command: xterm).

This fails with:

Entering daemon mode; any further errors will be reported to:
  /run/user/1000/xpra/S7280.log
2018-08-01 23:16:13,686 New ssl connection received from 127.0.0.1:34398 on 0.0.0.0:14500

Actual display used: :4
Actual log file name is now: /run/user/1000/xpra/:4.log
2018-08-01 23:16:20,887 server error processing new connection from Protocol(None): cannot steal a closed connection
Traceback (most recent call last):
  File "/usr/lib64/python2.7/site-packages/xpra/server/server_core.py", line 1597, in call_hello_oked
    self.hello_oked(proto, packet, c, auth_caps)
  File "/usr/lib64/python2.7/site-packages/xpra/server/proxy/proxy_server.py", line 188, in hello_oked
    self.proxy_auth(proto, c, auth_caps)
  File "/usr/lib64/python2.7/site-packages/xpra/server/proxy/proxy_server.py", line 223, in proxy_auth
    self.proxy_session(client_proto, c, auth_caps, sessions)
  File "/usr/lib64/python2.7/site-packages/xpra/server/proxy/proxy_server.py", line 346, in proxy_session
    client_conn = client_proto.steal_connection(unexpected_packet)
  File "/usr/lib64/python2.7/site-packages/xpra/net/protocol.py", line 1053, in steal_connection
    assert not self._closed, "cannot steal a closed connection"
AssertionError: cannot steal a closed connection

The exact same process works when connecting using plain http instead.

Maybe we can't handover the full socket state to the new proxy instance process?
Or maybe it's a blocking / non-blocking socket issue.

Change History (1)

comment:1 Changed 2 weeks ago by Antoine Martin

Resolution: fixed
Status: newclosed

Ugly but small fix in r19997.
It would be better to include this hard-coded string somewhere else, in the wss / ssl only code, but I tried and that was just too messy.

Note: See TracTickets for help on using tickets.