Open airtower-luna opened 8 months ago
Could reproduce, ticket is opened (internal tracking number TGR-1329). Due to strained ressources I can't give an ETA right now.
Hello, Is there any timeplan, when the bug fix will be released ?
Hello!
This bug was inadvertently fixed in a rework of the TCP-Connect behavior. Version 3.1.3 should work without TLS, 3.1.4 will carry the fix for TLS. The analysis might be iffy due to https://github.com/gematik/app-Tiger/issues/5.
The error will stay the same (connection closed out-of-bounds, meaning TCP close (RST, ACK in this exact case)). This might be unexpected. Our reasoning is as follows: We duplicate a remote test-resource. In-bound errors (HTTP/HTTPS in this case) could be interepreted as originating from the remote server. Errors from the proxy can be hard to differentiate. We therefore opt to log the error and simply close the connection.
Reproducible, mirrored internally as TGR-1500, MR is already open, so we expect delivery with 3.1.4, which should ship within the next weeks, most likely sooner.
Hi, were those comments possibly meant for #5? I don't see how closing the TCP connection on error would fix ALPN. :thinking:
you are of course correct, mixup on my end (while checking these two issues were very much interlocked). This one will stay open unfortunately, mirrored in TGR-1329. The inadvertent fix actually just corrected the ALPN behavior, the http/2 layer however is not done correctly. I will push the ticket up in the backlog.
Tiger 3.0.1 offers HTTP/2 in ALPN during TLS handshake, but then fails if the client sends an HTTP/2 request. 2.3.2 works. If Tiger isn't meant to support HTTP/2 that's fine, but then it shouldn't be offered in ALPN.
Reproducer
Start the Tiger proxy. No config needed, I'm just setting the proxy port so I don't need to look it up in the log.
Connect to the proxy port over HTTPS. The actual URL doesn't matter, the bug occurs before any proxying would. I first encountered it with a URL for which the Tiger instance was configured as a reverse proxy.
Result in the Tiger log:
Workaround
Force the client to use HTTP/1.1 only (for curl:
--http1.1
option).