When a connection is established to use TCP-MD5, tcp_twrespond() doesn't
respond with a signed segment. This results in the host performing the
active close to remain in a TIME_WAIT state and the other host in the
LAST_ACK state.
This can be observed by the following tcpdump (omitted some fields for brevity):
/* initial handshake */ 14:11:18.532759 IP cobra.30669 > jet.65000: Flags [S], [md5 valid], length 0 14:11:18.532787 IP jet.65000 > cobra.30669: Flags [S.], [md5 valid], length 0 14:11:18.532943 IP cobra.30669 > jet.65000: Flags [.], [md5 valid], length 0 /* active close from host cobra */ 14:11:20.349025 IP cobra.30669 > jet.65000: Flags [F.], [md5 valid] 14:11:20.349051 IP jet.65000 > cobra.30669: Flags [.], [md5 valid] 14:11:20.349094 IP jet.65000 > cobra.30669: Flags [F.], [md5 valid] /* here, cobra doesn't send MD5 signature */ 14:11:20.349228 IP cobra.30669 > jet.65000: Flags [.], [no md5 signature] 14:11:20.602478 IP jet.65000 > cobra.30669: Flags [F.], [md5 valid] 14:11:20.602662 IP cobra.30669 > jet.65000: Flags [.], [no md5 signature] 14:11:20.911826 IP jet.65000 > cobra.30669: Flags [F.], [md5 valid] 14:11:20.912010 IP cobra.30669 > jet.65000: Flags [.], [no md5 signature] ... [ more of the above ] ... /* jet eventually resets the connection */ 14:13:38.695713 IP jet.65000 > cobra.30669: Flags [R.], [md5 valid]
After this fix, the following tcpdump can be observed:
/* initial handshake */ 16:37:12.923483 IP cobra.23796 > jet.65000: Flags [S], [md5 valid] 16:37:12.923510 IP jet.65000 > cobra.23796: Flags [S.], [md5 valid] 16:37:12.923673 IP cobra.23796 > jet.65000: Flags [.], [md5 valid] /* perform an active close from cobra to jet */ 16:37:32.447707 IP cobra.23796 > jet.65000: Flags [F.], [md5 valid] 16:37:32.447743 IP jet.65000 > cobra.23796: Flags [.], [md5 valid] 16:37:32.447780 IP jet.65000 > cobra.23796: Flags [F.], [md5 valid] 16:37:32.447991 IP cobra.23796 > jet.65000: Flags [.], [md5 valid]