fix(server): send TLS close_notify during graceful RDP disconnect (#1032)

ymarcus93 · web-flow · commit a70e01d9c567 · 2025-11-17T07:36:31.000-05:00
Add support for sending a proper TLS close_notify message when the RDP
client initiates a graceful disconnect PDU.
diff --git a/crates/ironrdp-server/src/server.rs b/crates/ironrdp-server/src/server.rs
@@ -21,7 +21,7 @@ use ironrdp_pdu::{decode_err, mcs, nego, rdp, Action, PduResult};
 use ironrdp_svc::{server_encode_svc_messages, StaticChannelId, StaticChannelSet, SvcProcessor};
 use ironrdp_tokio::{split_tokio_framed, unsplit_tokio_framed, FramedRead, FramedWrite, TokioFramed};
 use rdpsnd::server::{RdpsndServer, RdpsndServerMessage};
-use tokio::io::{AsyncRead, AsyncWrite};
+use tokio::io::{AsyncRead, AsyncWrite, AsyncWriteExt as _};
 use tokio::net::{TcpListener, TcpStream};
 use tokio::sync::{mpsc, oneshot, Mutex};
 use tokio::task;
@@ -357,7 +357,12 @@ impl RdpServer {
                     .await?;
                 }
 
-                self.accept_finalize(framed, acceptor).await?;
+                let framed = self.accept_finalize(framed, acceptor).await?;
+                debug!("Shutting down TLS connection");
+                let (mut tls_stream, _) = framed.into_inner();
+                if let Err(e) = tls_stream.shutdown().await {
+                    debug!(?e, "TLS shutdown error");
+                }
             }
 
             BeginResult::Continue(framed) => {
@@ -954,7 +959,7 @@ impl RdpServer {
         }
     }
 
-    async fn accept_finalize<S>(&mut self, mut framed: TokioFramed<S>, mut acceptor: Acceptor) -> Result<()>
+    async fn accept_finalize<S>(&mut self, mut framed: TokioFramed<S>, mut acceptor: Acceptor) -> Result<TokioFramed<S>>
     where
         S: AsyncRead + AsyncWrite + Sync + Send + Unpin,
     {
@@ -982,11 +987,12 @@ impl RdpServer {
                     framed = unsplit_tokio_framed(reader, writer);
                     continue;
                 }
-                RunState::Disconnect => break,
+                RunState::Disconnect => {
+                    let final_framed = unsplit_tokio_framed(reader, writer);
+                    return Ok(final_framed);
+                }
             }
         }
-
-        Ok(())
     }
 
     pub fn set_credentials(&mut self, creds: Option<Credentials>) {

Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@ use ironrdp_pdu::{decode_err, mcs, nego, rdp, Action, PduResult};`
`21`	`21`	`use ironrdp_svc::{server_encode_svc_messages, StaticChannelId, StaticChannelSet, SvcProcessor};`
`22`	`22`	`use ironrdp_tokio::{split_tokio_framed, unsplit_tokio_framed, FramedRead, FramedWrite, TokioFramed};`
`23`	`23`	`use rdpsnd::server::{RdpsndServer, RdpsndServerMessage};`
`24`		`-use tokio::io::{AsyncRead, AsyncWrite};`
	`24`	`+use tokio::io::{AsyncRead, AsyncWrite, AsyncWriteExt as _};`
`25`	`25`	`use tokio::net::{TcpListener, TcpStream};`
`26`	`26`	`use tokio::sync::{mpsc, oneshot, Mutex};`
`27`	`27`	`use tokio::task;`
`@@ -357,7 +357,12 @@ impl RdpServer {`
`357`	`357`	`.await?;`
`358`	`358`	`}`
`359`	`359`
`360`		`- self.accept_finalize(framed, acceptor).await?;`
	`360`	`+ let framed = self.accept_finalize(framed, acceptor).await?;`
	`361`	`+ debug!("Shutting down TLS connection");`
	`362`	`+ let (mut tls_stream, _) = framed.into_inner();`
	`363`	`+ if let Err(e) = tls_stream.shutdown().await {`
	`364`	`+ debug!(?e, "TLS shutdown error");`
	`365`	`+ }`
`361`	`366`	`}`
`362`	`367`
`363`	`368`	`BeginResult::Continue(framed) => {`
`@@ -954,7 +959,7 @@ impl RdpServer {`
`954`	`959`	`}`
`955`	`960`	`}`
`956`	`961`
`957`		`- async fn accept_finalize<S>(&mut self, mut framed: TokioFramed<S>, mut acceptor: Acceptor) -> Result<()>`
	`962`	`+ async fn accept_finalize<S>(&mut self, mut framed: TokioFramed<S>, mut acceptor: Acceptor) -> Result<TokioFramed<S>>`
`958`	`963`	`where`
`959`	`964`	`S: AsyncRead + AsyncWrite + Sync + Send + Unpin,`
`960`	`965`	`{`
`@@ -982,11 +987,12 @@ impl RdpServer {`
`982`	`987`	`framed = unsplit_tokio_framed(reader, writer);`
`983`	`988`	`continue;`
`984`	`989`	`}`
`985`		`- RunState::Disconnect => break,`
	`990`	`+ RunState::Disconnect => {`
	`991`	`+ let final_framed = unsplit_tokio_framed(reader, writer);`
	`992`	`+ return Ok(final_framed);`
	`993`	`+ }`
`986`	`994`	`}`
`987`	`995`	`}`
`988`		`-`
`989`		`- Ok(())`
`990`	`996`	`}`
`991`	`997`
`992`	`998`	`pub fn set_credentials(&mut self, creds: Option<Credentials>) {`