xpra icon
Bug tracker and wiki

This bug tracker and wiki are being discontinued
please use https://github.com/Xpra-org/xpra instead.

Opened 3 years ago

Closed 3 years ago

Last modified 12 months ago

#1927 closed defect (fixed)

proxy "cannot steal a closed connection" with ssl sockets

Reported by: Antoine Martin Owned by: Antoine Martin
Priority: critical Milestone: 2.4
Component: network Version: 2.3.x
Keywords: Cc:


Server started with:

sudo /usr/bin/python2 /usr/bin/xpra proxy :14500 \
    --daemon=no --tcp-auth=sys --socket-dirs=/tmp --socket-permissions=666 \
    --log-dir=/var/log --pidfile=/run/xpra.pid \
    --bind-tcp= --ssl=on --ssl-cert=./cert.pem

Then an HTML5 client connecting using https requests a new session (ie: start-command: xterm).

This fails with:

Entering daemon mode; any further errors will be reported to:
2018-08-01 23:16:13,686 New ssl connection received from on

Actual display used: :4
Actual log file name is now: /run/user/1000/xpra/:4.log
2018-08-01 23:16:20,887 server error processing new connection from Protocol(None): cannot steal a closed connection
Traceback (most recent call last):
  File "/usr/lib64/python2.7/site-packages/xpra/server/server_core.py", line 1597, in call_hello_oked
    self.hello_oked(proto, packet, c, auth_caps)
  File "/usr/lib64/python2.7/site-packages/xpra/server/proxy/proxy_server.py", line 188, in hello_oked
    self.proxy_auth(proto, c, auth_caps)
  File "/usr/lib64/python2.7/site-packages/xpra/server/proxy/proxy_server.py", line 223, in proxy_auth
    self.proxy_session(client_proto, c, auth_caps, sessions)
  File "/usr/lib64/python2.7/site-packages/xpra/server/proxy/proxy_server.py", line 346, in proxy_session
    client_conn = client_proto.steal_connection(unexpected_packet)
  File "/usr/lib64/python2.7/site-packages/xpra/net/protocol.py", line 1053, in steal_connection
    assert not self._closed, "cannot steal a closed connection"
AssertionError: cannot steal a closed connection

The exact same process works when connecting using plain http instead.

Maybe we can't handover the full socket state to the new proxy instance process?
Or maybe it's a blocking / non-blocking socket issue.

Change History (3)

comment:1 Changed 3 years ago by Antoine Martin

Resolution: fixed
Status: newclosed

Ugly but small fix in r19997.
It would be better to include this hard-coded string somewhere else, in the wss / ssl only code, but I tried and that was just too messy.

comment:2 Changed 2 years ago by Antoine Martin

Workaround removed in v4: r25231.
Works OK without.

Last edited 2 years ago by Antoine Martin (previous) (diff)

comment:3 Changed 12 months ago by migration script

this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/1927

Note: See TracTickets for help on using tickets.