Enable TCP keepalives for HTTP connections

This fix enables TCP keepalives at the OS layer. It also enables a 15
minute deadline timer at the bmcweb level when waiting on an idle HTTP
keepalive conn

Enable TCP keepalives for HTTP connections

This fix enables TCP keepalives at the OS layer. It also enables a 15
minute deadline timer at the bmcweb level when waiting on an idle HTTP
keepalive connection.

Tested: romulus image running bmcweb, start connections with keepalive,
block incoming connections `iptables -P INPUT DROP`, validate that
sockets eventually die and are tracked with keepalives `ss -nto`

Change-Id: I8f5040440348c060dae1d0516ec202a0e4dc349e
Signed-off-by: Joey Berkovitz <joey@berkovitz.us>

show more ...

Use std::format for hex conversions

Deprecate intoToHex handler now that we can do everything using
std::format.

Tested: RSV passes
Redfish protocol validator passes

Change-Id: I71000506573314d6c9

Use std::format for hex conversions

Deprecate intoToHex handler now that we can do everything using
std::format.

Tested: RSV passes
Redfish protocol validator passes

Change-Id: I71000506573314d6c9326c4677f5fbca1ca02b46
Signed-off-by: Ed Tanous <etanous@nvidia.com>

show more ...

Don't log EOF as error in HTTP/2

EOF occurs when HTTP/2 clients close connection after completing
requests (e.g., curl). This is normal for multiplexed connections. EOF
indicates graceful shutdown,

Don't log EOF as error in HTTP/2

EOF occurs when HTTP/2 clients close connection after completing
requests (e.g., curl). This is normal for multiplexed connections. EOF
indicates graceful shutdown, not an error condition.

Change-Id: I3291b23c7784a2273f2de05afc71ddb57dd0c28a
Signed-off-by: Amy Chang <yahanc@nvidia.com>
Signed-off-by: Ed Tanous <etanous@nvidia.com>

show more ...

Fix websocket error log handling

The commit b0ae71c[1] mishandles the error handling branches which
cause `operation_aborted` to be reported as an error.

```
else if (ec != <error-cases

Fix websocket error log handling

The commit b0ae71c[1] mishandles the error handling branches which
cause `operation_aborted` to be reported as an error.

```
else if (ec != <error-cases>)
{
BMCWEB_LOG_ERROR("doRead error {}", ec);
}
else if (ec == boost::asio::error::operation_aborted)
{
BMCWEB_LOG_WARNING("doRead operation is aborted: {}", ec);
}
```

This needs to handle `operation_aborted` first.

Tested:
- Unit test passes

[1] https://github.com/openbmc/bmcweb/commit/b0ae71c8f503b9e56a5bf88549346b15e7961e26

Change-Id: Ie4b0eafabcf41adf661ab3abc1fe1282c13d1d82
Signed-off-by: Myung Bae <myungbae@us.ibm.com>

show more ...

Suppress websocket aborted error log

When websocket is aborted under some situations like GUI console is
aborted earlier before websocket write is still waiting for completion,
it is currently logge

Suppress websocket aborted error log

When websocket is aborted under some situations like GUI console is
aborted earlier before websocket write is still waiting for completion,
it is currently logged as ERROR. However, it may not need to be an
error. This commit will change it as WARNING.

For example,

```
Oct 31 10:40:29 balco10 bmcwebd[1230]: [websocket_impl.hpp:305] Error in ws.async_write Operation canceled [system:125 at /usr/include/boost/beast/websocket/impl/stream_impl.hpp:355:13 in function 'bool boost::beast::websocket::stream< <template-parameter-1-1>, <anonymous> >::impl_type::check_stop_now(boost::beast::error_code&)']
```

Tested:
- While GUI page is loading pages (e.g. pcie topology), close
web-browser and check the bmcweb journal records.

Change-Id: I4b16c21d2784ec0b9774ab256f833bb38fc34a27
Signed-off-by: Myung Bae <myungbae@us.ibm.com>

show more ...

Break out lambdas in websocket

Move out the large lambdas into normal methods to maintain more easily.

Tested:
- Unit tests pass

Change-Id: I9450af36d45b2b17e8a063f383d91026db581d27
Signed-off-by:

Break out lambdas in websocket

Move out the large lambdas into normal methods to maintain more easily.

Tested:
- Unit tests pass

Change-Id: I9450af36d45b2b17e8a063f383d91026db581d27
Signed-off-by: Myung Bae <myungbae@us.ibm.com>

show more ...

Bypass resolver

If we are given an ip address to the http client, there's no reason to
call the dns resolver. Implement a procedure to "skip" resolution if
the http client is an ip address.

Tested

Bypass resolver

If we are given an ip address to the http client, there's no reason to
call the dns resolver. Implement a procedure to "skip" resolution if
the http client is an ip address.

Tested:
Using an ipv4 address from a system not running OpenBMC dbus (in this
case an Ubuntu system) now can resolve an IP address. Redfish works
with later patches.

Change-Id: I094ec7b3015e1e31cb83f0e1c25f6c1fb6685219
Signed-off-by: Ed Tanous <etanous@nvidia.com>

show more ...

Aggregation: Add basic authentication support

Add support for basic authentication when connecting to aggregation
sources. This allows satellite BMCs to be authenticated using
username and password

Aggregation: Add basic authentication support

Add support for basic authentication when connecting to aggregation
sources. This allows satellite BMCs to be authenticated using
username and password credentials.

The implementation:
- Stores credentials alongside URLs in AggregationSource struct
- Validates credentials: no colons, max 40 chars, not empty strings
- Creates Basic Auth headers using base64 encoding
- Only sends Authorization header when both username and password exist
- Adds PATCH handler for updating credentials independently
- Prevents duplicate aggregation sources with same hostname
- Cleans up credentials when aggregation sources are deleted

Tested: Manual testing with authenticated aggregation sources

Change-Id: Ide17a3c08a4a8f6b90a2ffcd2c798cbbec578db8
Signed-off-by: Kamran Hasan <khasan@nvidia.com>

show more ...

Remove getNthStringFromPath function

This utility function is being removed for several reasons. First, it
does not verify the full string on URIs and paths, so things like
/foo/bar/baz/valid_id wo

Remove getNthStringFromPath function

This utility function is being removed for several reasons. First, it
does not verify the full string on URIs and paths, so things like
/foo/bar/baz/valid_id would still pass this check.

Second, it is used for both URIs and dbus paths, both of which we have
better utility functions these days respectively, boost::url for urls
and sdbusplus::message::object_path for dbus paths. Neither of the two
is escaped properly when this function is used.

Therefore, remove it and replace it with the appropriate alternatives.

The existing URI functions were found to not accept fragments (given
they are rarely used in PATCH). Add support for fragments to cover the
getNthStringFromPath use cases.

Tested: Redfish service validator passes.

Change-Id: Ibc6755ad69397123d7fef0e0b764042bbb48888b
Signed-off-by: Ed Tanous <etanous@nvidia.com>

show more ...

Fix the corrupted Trie routing tree

The routing table may potentially become corrupted during the routing
table construction as the vector element pointer becomes invalid if the
vector is resized [1

Fix the corrupted Trie routing tree

The routing table may potentially become corrupted during the routing
table construction as the vector element pointer becomes invalid if the
vector is resized [1].

http/routing/trie.hpp#L241:
```
ContainedType& node = nodes[idx];
size_t* param = &node.stringParamChild;
if (str1 == "<path>")
{
param = &node.pathParamChild;
}
if (*param == 0U)
{
L249:
*param = newNode(); // <---
}
idx = *param;
```

Here, `newNodes()` at L249 may resize the vector of `nodes[]` and thus
the reference of `nodes[idx]` becomes invalid and thus the previously
saved the pointer of `param` is invalid.

The similar issue is also at sub_route_trie construction [5].

This problem may be shown during CI/valgrind test depending on the order
of route setups in [2].

For example, for the commit 39574 [3], if `requestsRoutesAssembly()` is
added earlier than `requestRoutesProcessorCollection()`, it causes
CI/valgrind test fails [3].

The error looks like [4].

[1] https://github.com/openbmc/bmcweb/blob/master/http/routing/trie.hpp#L241
[2] https://github.com/openbmc/bmcweb/blob/master/redfish-core/src/redfish.cpp
[3] https://gerrit.openbmc.org/c/openbmc/bmcweb/+/39574
[4] https://gerrit.openbmc.org/c/openbmc/bmcweb/+/39574/comment/15e652e0_f8881ffc/
[5] https://github.com/openbmc/bmcweb/blob/master/redfish-core/include/sub_route_trie.hpp#L160

Tested:
- CI with https://gerrit.openbmc.org/c/openbmc/bmcweb/+/39574 passes
after rebase of having earlier `requestsRoutesAssembly()`.
- Redfish Service Validator passes

Change-Id: I349777dfab65f2d41eb5db25796d82322b3c36cc
Signed-off-by: Myung Bae <myungbae@us.ibm.com>

show more ...

Tune http2 window and frame sizes

http2 maintains its own frame ACK window per stream. While the defaults
work well in most cases, for large binary uploads, like Redfish
UpdateService, the relative

Tune http2 window and frame sizes

http2 maintains its own frame ACK window per stream. While the defaults
work well in most cases, for large binary uploads, like Redfish
UpdateService, the relatively small default window size of 16KB leads to
slower performance than http1. While it's not expected to see a
performance improvement, we would prefer to not see a regression for a
normal use case.

Update the HTTP2 max frame size to 16KB. Setting the internal buffer to
the same size + the http2 header allows clocking in the entire frame in
one async read. Note, setting the value higher than 16KB doesn't appear
to allow curl to send larger frames.

Also update the HTTP window size to 512KB, or 32 times the max frame
size. Note, all streams including the control stream are set to this
value, which, while somewhat arbitrary, allows for continued
UpdateService pushing without pauses for window ACK.

Tested:
POST /redfish/v1/UpdateService/update-multipart
Of an arbitrary 100MB file through curl shows that --http1.1 option and
--http2 option are within 5% of the same upload time.

Change-Id: I7ff6296a9cc0794aad63f5058620c0f1fb9299e3
Signed-off-by: Ed Tanous <etanous@nvidia.com>

show more ...

Filter http2 headers

When using aggregation with http2, :authority headers were getting
forwarded to the client, which didn't know how to deal with them on
http1.

Filter all http2 headers.

Tested:

Filter http2 headers

When using aggregation with http2, :authority headers were getting
forwarded to the client, which didn't know how to deal with them on
http1.

Filter all http2 headers.

Tested: Unit tests pass.

Change-Id: I6a834656b604004eeba1a2aa2f245ef211f28495
Signed-off-by: Ed Tanous <etanous@nvidia.com>

show more ...

Add check to omit `DateTime` from etag calculation

Ignores any json property named `DateTime` when calculating
the etag value of an HTTP response as per the updated
Redfish Spec (section 6.5: ETags)

Add check to omit `DateTime` from etag calculation

Ignores any json property named `DateTime` when calculating
the etag value of an HTTP response as per the updated
Redfish Spec (section 6.5: ETags)

Tested:
- Redfish Service Validator passes
- Tested on romulus:
1. GET resource with a "DateTime" field
```
curl -k -H "X-Auth-Token: $XAUTH_TOKEN" "https://$BMC/redfish/v1/TaskService" \
--etag-save ./etag.txt -v
...
< etag: "6A4CE897"
...
{
"@odata.id": "/redfish/v1/TaskService",
"@odata.type": "#TaskService.v1_1_4.TaskService",
"CompletedTaskOverWritePolicy": "Oldest",
"DateTime": "2025-07-23T17:08:20+00:00",
"Id": "TaskService",
"LifeCycleEventOnTaskStateChange": true,
"Name": "Task Service",
"ServiceEnabled": true,
"Status": {
"State": "Enabled"
},
"Tasks": {
"@odata.id": "/redfish/v1/TaskService/Tasks"
}
```

2. GET same resource again later, etag is same as before
```
curl -k -H "X-Auth-Token: $XAUTH_TOKEN" "https://$BMC/redfish/v1/TaskService" \
--etag-save ./etag.txt -v
...
< etag: "6A4CE897"
...
{
"@odata.id": "/redfish/v1/TaskService",
"@odata.type": "#TaskService.v1_1_4.TaskService",
"CompletedTaskOverWritePolicy": "Oldest",
"DateTime": "2025-07-23T17:10:48+00:00",
"Id": "TaskService",
"LifeCycleEventOnTaskStateChange": true,
"Name": "Task Service",
"ServiceEnabled": true,
"Status": {
"State": "Enabled"
},
"Tasks": {
"@odata.id": "/redfish/v1/TaskService/Tasks"
}
```
"DateTime" is the only value to have changed, but since
it is ignored the etag did not change

3. GET with if-none-match returns 304
```
curl -k -H "X-Auth-Token: $XAUTH_TOKEN" "https://$BMC/redfish/v1/TaskService" \
--etag-save ./etag.txt --etag-compare ./etag.txt -v
...
> if-none-match: "6A4CE897"
...
< HTTP/2 304
< allow: GET
< odata-version: 4.0
< strict-transport-security: max-age=31536000; includeSubdomains
< pragma: no-cache
< cache-control: no-store, max-age=0
< x-content-type-options: nosniff
< etag: "6A4CE897"
< date: Wed, 23 Jul 2025 17:14:39 GMT
< content-length: 0
<
...
```

Change-Id: I51f7668e75719c69c55535e4a1e48c8bae7c9488
Signed-off-by: Corey Ethington <cethington@coreweave.com>

show more ...

Fix includes

Our includes haven't been enforced by tidy in a while. Run the script,
check in the result, minus the false positives.

Change-Id: I6a6da26f5ba5082d9b4aa17cdc9f55ebd8cd41a6
Signed-off-

Fix includes

Our includes haven't been enforced by tidy in a while. Run the script,
check in the result, minus the false positives.

Change-Id: I6a6da26f5ba5082d9b4aa17cdc9f55ebd8cd41a6
Signed-off-by: Ed Tanous <etanous@nvidia.com>

show more ...

Remove namespace in http layer

Within this namespace, we don't need to call crow, we are already in the
crow namespace.

Tested: Code compiles.

Change-Id: Ida57624ef1157f98f2719b5c3af536aebaca601e

Remove namespace in http layer

Within this namespace, we don't need to call crow, we are already in the
crow namespace.

Tested: Code compiles.

Change-Id: Ida57624ef1157f98f2719b5c3af536aebaca601e
Signed-off-by: Ed Tanous <etanous@nvidia.com>

show more ...

Fix 204/304 incorrectly tracing CRITICAL message

Resolve tracing of CRITICAL message on 1xx, 204(no-content) and 304(not
modified) when there is no body in the response.

The code is changed to chec

Fix 204/304 incorrectly tracing CRITICAL message

Resolve tracing of CRITICAL message on 1xx, 204(no-content) and 304(not
modified) when there is no body in the response.

The code is changed to check that 1xx, 204 and 304 response with
payloadsize of 0 will not trace the CRITICAL message.
Removed setting of no_content on PATCH that was being done before other
functions are called.

Tested: Used the following commands to check that the CRITICAL message
is no longer being traced for no-content and not modified response with
no body.

204 no-content
```
curl -k -H "Content-Type: application/json" \
-d '{"PowerRestorePolicy":"LastState"}' \
-X PATCH https://${bmc_ip}/redfish/v1/Systems/system
```

```
curl -k -H "Content-Type: application/json" \
-H "X-Auth-Token: $bmc_token" -X PATCH \
-d '{"LocationIndicatorActive":true}' \
https://${bmc_ip}/redfish/v1/Managers/bmc
```

304 not modified
```
curl -k -i https://${bmc_ip}/redfish/ --etag-save etag.out \
-H 'If-Modified-Since: Tue, 21 Nov 2050 08:00:00 GMT'

HTTP/1.1 200 OK
Allow: GET
.
.
.
ETag: "B3A9EAA1"
Content-Type: application/json
Date: Thu, 14 Aug 2025 22:07:27 GMT
Content-Length: 26

ETAG=`cat etag.out`; echo $ETAG

curl -k -i https://${bmc_ip}/redfish/ -H "If-None-Match: ${ETAG}"

HTTP/1.1 304 Not Modified
Allow: GET
.
.
.
ETag: "B3A9EAA1"
Date: Thu, 14 Aug 2025 22:16:27 GMT
Content-Length: 0
```

Change-Id: I98cc096c1f7e506687d4a6bf5a2e51b2231c0d68
Signed-off-by: Abiola Asojo <abiola.asojo@ibm.com>

show more ...

Enable Mutual TLS for http2 connections

Passing the TLS-provided credentials from the HTTP connection to the
http2 connection got missed, and appears to break mutual TLS for http2
connections. Pass

Enable Mutual TLS for http2 connections

Passing the TLS-provided credentials from the HTTP connection to the
http2 connection got missed, and appears to break mutual TLS for http2
connections. Pass the credentials.

Tested: Mutual TLS is now functional on http2 connections as shown in
the next patch.

Change-Id: Ia2bbcd5383dae859baa96908b76f221b9c74632c
Signed-off-by: Ed Tanous <etanous@nvidia.com>

show more ...

Trace URI when body on 204/304

Trace URI on the existing CRITICAL message when a body exists but HTTP
return code was Informational responses (100 – 199), no-content (204),
or not_modified (304).

T

Trace URI when body on 204/304

Trace URI on the existing CRITICAL message when a body exists but HTTP
return code was Informational responses (100 – 199), no-content (204),
or not_modified (304).

Tested: With these changes, the URI is traced on the CRITICAL message:

```
curl --http2 -k -H "Content-Type: application/json" \
-d '{"PowerRestorePolicy":"LastState"}' \
-X PATCH https://${bmc}/redfish/v1/Systems/system

root@p10bmc:~# journalctl | grep Response
Jun 20 15:30:46 p10bmc bmcwebd[296]: [http_response.hpp:213]
0x1353670 Response content provided but code was no-content
or not_modified, which aren't allowed to
have a body for url : "/redfish/v1/Systems/system"
```

Change-Id: I1ef618600642d355fc9f935d055b011e044caf5c
Signed-off-by: Abiola Asojo <abiola.asojo@ibm.com>

show more ...

Implement zstd decompression

Given the size of Redfish schemas these days, it would be nice to be
able to store them on disk in a zstd format. Unfortunately, not all
clients support zstd at this ti

Implement zstd decompression

Given the size of Redfish schemas these days, it would be nice to be
able to store them on disk in a zstd format. Unfortunately, not all
clients support zstd at this time.

This commit implements reading of zstd files from disk, as well as
decompressing zstd in the case where the client does not support zstd as
a return type.

Tested:
Implanted an artificial zstd file into the system, and observed correct
decompression both with an allow-encoding header of empty string and
zstd.

Change-Id: I8b631bb943de99002fdd6745340aec010ee591ff
Signed-off-by: Ed Tanous <etanous@nvidia.com>

show more ...

Move http2 out of experimental

Http2 support in bmcweb has been relatively stable for a while. The
http2 implementation passes all known Redfish tests (some of which
require ported to httpx to supp

Move http2 out of experimental

Http2 support in bmcweb has been relatively stable for a while. The
http2 implementation passes all known Redfish tests (some of which
require ported to httpx to support http2), the UI loads, and so far as
the project is concerned, is a complete improvement over the existing
http1 stack.

This commit removes the experimental classification from http2, and
declares it ready for production use, while enabling it by default.
note, that enabling this by default only makes the server advertise that
http2 is available. Http2 must still be supported by the client to
enable ALPN negotiation, so existing http1 clients that only support
http1 will continue to function as they did before.

Tested: Enabled http option and saw http2 advertised, http2 now takes
effect.

Change-Id: I92843a3afc532f0b2a64904bb872e5d84a1a54fe
Signed-off-by: Ed Tanous <etanous@nvidia.com>

show more ...

Fix invalid dereference on logging

cppcheck found a case which dereferences an invalid iterator like

```
http/logging.hpp:74:12: warning: Either the condition 'it!=mapping.end()' is redundant or th

Fix invalid dereference on logging

cppcheck found a case which dereferences an invalid iterator like

```
http/logging.hpp:74:12: warning: Either the condition 'it!=mapping.end()' is redundant or there is possible dereference of an invalid iterator: it. [derefInvalidIteratorRedundantCheck]
return it->second;
http/logging.hpp:69:12: note: Assuming that condition 'it!=mapping.end()' is not redundant
if (it != mapping.end())
^
http/logging.hpp:74:12: note: Dereference of an invalid iterator
return it->second;
^
```

Tested:
- Tries a various bmcweb loglevel.

Change-Id: Ieca8c5c5ee83f0b45a82c3d7e4f19b09bf1422e6
Signed-off-by: Myung Bae <myungbae@us.ibm.com>

show more ...

Minor cleanups in http client

All integers in a callback should be taken by value, not reference.
Fix a typo on "Async"
Implement a TODO on libssl, where a macro was removed, so we can now
directly

Minor cleanups in http client

All integers in a callback should be taken by value, not reference.
Fix a typo on "Async"
Implement a TODO on libssl, where a macro was removed, so we can now
directly call the function

Tested: Unit tests pass.

Change-Id: Iaccd100a6b5f0dc871ec2d2cb1f01bed3ceefde2
Signed-off-by: Ed Tanous <etanous@nvidia.com>

show more ...

Show websocket timeout log as WARNING

When websocket is closed due to a timeout under some situations like GUI
console not as responsive, itis currently logged as ERROR.
This commit changes it as WA

Show websocket timeout log as WARNING

When websocket is closed due to a timeout under some situations like GUI
console not as responsive, itis currently logged as ERROR.
This commit changes it as WARNING.

```
May 02 10:09:31 ever28bmc pldmd[836]: BIOS attribute 'hb_cap_freq_mhz_min' updated to value '2000' by BMC 'false'
May 02 10:09:31 ever28bmc pldmd[836]: BIOS attribute 'hb_cap_freq_mhz_max' updated to value '3900' by BMC 'false'
May 02 10:09:31 ever28bmc bmcweb[1100]: [ERROR websocket.hpp:268] doRead error The socket was closed due to a timeout [boost.beast:1 at /usr/include/boost/beast/websocket/impl/stream_impl.hpp:346:13 in function 'bool boost::beast::websocket::stream< <template-parameter-1-1>, <anonymous> >::impl_type::check_stop_now(boost::beast::error_code&)']
May 02 10:09:34 ever28bmc pldmd[836]: BIOS attribute 'hb_max_number_huge_pages' updated to value '64' by BMC 'false'
```

Tested:
- Load GUI pages and kill web-browser multiple times while reading BMC
journal records.

Change-Id: I7e15845be7d3762ef144744ca1aedadf96e43a2f
Signed-off-by: Myung Bae <myungbae@us.ibm.com>

show more ...

Do hard close if client disobeys protocol

There are cases bmcweb might close the connection due to a violation of
the protocol. Currently these are done gracefully, under the assumption
that a clie

Do hard close if client disobeys protocol

There are cases bmcweb might close the connection due to a violation of
the protocol. Currently these are done gracefully, under the assumption
that a client might attempt to recover. But this opens us up to
potentially leaving sockets open for far longer than we intend if the
client is completely gone, due to a disconnect or explicitly closing the
socket hard.

In cases where we get a protocol error, shutdown the socket hard, rather
than attempt to do things "correctly".

Tested:

I tested this MR using a script that simulated 5,000 parallel
connections simultaneously to BMC and closed them immediately without
properly sending a close_notify alert

Observations:

The BMC became unresponsive for 30-40 seconds before recovering.

After recovery, it took approximately 90 seconds to close all
connections in QEMU.
On real hardware, connection closure times may be slightly higher
(though still within expected parameters).

Conclusion:
This behavior aligns with expectations.

After 90 seconds observed that

1) No sockets in CLOSE_WAIT state

2) Able to make new connection.

```

curl -k -H "X-Auth-Token:$bmc_token" https://${IP}/redfish/v1/AccountService/Accounts
{
"@odata.id": "/redfish/v1/AccountService/Accounts",
"@odata.type": "#ManagerAccountCollection.ManagerAccountCollection",
"Description": "BMC User Accounts",
"Members": [
{
"@odata.id": "/redfish/v1/AccountService/Accounts/root"
}
],
"Members@odata.count": 1,
"Name": "Accounts Collection"
}

```
Change-Id: I6ab4347efd8fda9ae86bfbb8575666ad3eabe88c
Signed-off-by: Ed Tanous <etanous@nvidia.com>
Signed-off-by: Chandramohan Harkude <chandramohan.harkude@gmail.com>

show more ...

Fix DOS attack scenario

Problem : When 201 connections made in parallel to BMC and closed them
immediately without properly sending a close_notify alert it was
observed that Bmcweb server was taking

Fix DOS attack scenario

Problem : When 201 connections made in parallel to BMC and closed them
immediately without properly sending a close_notify alert it was
observed that Bmcweb server was taking several minutes to close the
sockets. All the 200 TCP sockets were in CLOSE_WAIT state.

Journal log shows below line
[CRITICAL http_connection.hpp:213] 0x29d1ef0Max connection count
exceeded.

```
Not able to make new connection

$ curl -k -H "X-Auth-Token:$bmc_token" -X GET https://${BMC_IP}/redfish
/v1/AccountService/Accounts
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to
127.0.0.1:2443

Fix : The bmcweb server failed to identify the end of stream at TCP (SSL
/TLS) layer, therefore added check to identify the end of stream which
closes the connection and socket

Test :

I tested this MR using a script that simulated 5,000 parallel
connections simultaneously to BMC and closed them immediately without
properly sending a close_notify alert

Observations:

The BMC became unresponsive for 30-40 seconds before recovering.

After recovery, it took approximately 90 seconds to close all
connections in QEMU.
On real hardware, connection closure times may be slightly higher
(though still within expected parameters).

Conclusion:
This behavior aligns with expectations.

After 90 seconds observed that
1) No sockets in CLOSE_WAIT state

2) Able to make new connection.

curl -k -H "X-Auth-Token:$bmc_token" https://${IP}/redfish/v1/AccountService/Accounts
{
"@odata.id": "/redfish/v1/AccountService/Accounts",
"@odata.type": "#ManagerAccountCollection.ManagerAccountCollection",
"Description": "BMC User Accounts",
"Members": [
{
"@odata.id": "/redfish/v1/AccountService/Accounts/root"
}
],
"Members@odata.count": 1,
"Name": "Accounts Collection"
}
```

Change-Id: I1c277db0b774d33c656b4a2b1bd14f3575535bec
Signed-off-by: Chandramohan Harkude <chandramohan.harkude@gmail.com>

show more ...