Skip to content

Port #7839 - Fix TLS handshake error handling #7841

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 24, 2025
Merged

Port #7839 - Fix TLS handshake error handling #7841

merged 1 commit into from
Sep 24, 2025

Conversation

Arkatufus
Copy link
Contributor

(cherry picked from commit 1ec6f9e)

Enforce ActorSystem shutdown on TLS handshake failures

Summary

  • Any TLS handshake failure now triggers CoordinatedShutdown with a clear reason (exit code 79), preventing a node from remaining "half‑healthy" via reverse connections.
  • Tests cover server/client TLS failures and verify the misconfigured side shuts down.

Changes

  • Transport (DotNetty)
    • Handle TlsHandshakeCompletionEvent failures in TcpTransport and run CoordinatedShutdown using a new TlsHandshakeFailureReason (exit code 79). Logs include channel endpoints and id.

New shutdown reason

  • Akka.Remote.Transport.DotNetty.TlsHandshakeFailureReason (exit code 79): used by TcpTransport and EndpointManager to terminate the misconfigured system.

Tests (Akka.Remote.Tests)

  • Tls_handshake_failure_should_be_logged_and_shutdown_server
  • Server_side_tls_handshake_failure_should_shutdown_server
  • Client_side_tls_handshake_failure_should_shutdown_client

Rationale

  • Akka.NET remote is peer‑to‑peer: any TLS misconfiguration in either role must cause the association to fail hard. Shutting down the misconfigured ActorSystem avoids split‑brain‑like symptoms where nodes can still send outbound but fail inbound.

Impact / Migration

  • Behavior change: nodes with TLS handshake failures now terminate (exit code 79). Ensure certificates are valid and accessible.
  • No public API changes; wire protocol unaffected.

@Arkatufus
Fix TLS handshake error handling (akkadotnet#7839)
8db3e13 
* Fix TLS handshake error handling

* Simplify PR

* Simplify PR, remove new DisassociateInfo

* Clean whitespace noise

* cleanup, remove TlsHandshakeErrorAssociation

(cherry picked from commit 1ec6f9e)
Aaronontheweb
Aaronontheweb approved these changes Sep 24, 2025
View reviewed changes
Copy link
Member

@Aaronontheweb Aaronontheweb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Aaronontheweb Aaronontheweb enabled auto-merge (squash) September 24, 2025 20:26
@Aaronontheweb Aaronontheweb merged commit 8d99e83 into akkadotnet:dev Sep 24, 2025
8 of 11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Aaronontheweb Aaronontheweb Aaronontheweb approved these changes

Assignees
No one assigned
Labels
akka-remote dotnetty
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Arkatufus @Aaronontheweb