[Bug 61310] New: mod_reqtimeout does not timeout during SSL handshakes

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=61310

            Bug ID: 61310
           Summary: mod_reqtimeout does not timeout during SSL handshakes
           Product: Apache httpd-2
           Version: 2.4.26
          Hardware: PC
                OS: FreeBSD
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_reqtimeout
          Assignee: bugs@httpd.apache.org
          Reporter: apache.b...@whitewinterwolf.com
  Target Milestone: ---

It seems that `mod_reqtimeout` timeout only starts when the SSL handshake has
been fulfilled.

Here is a simple configuration to show the issue:

    # Ensure that accept filters do not interfere
    AcceptFilter http none
    AcceptFilter https none
    # Apache core timeout
    Timeout 30
    # mod_reqtimeout timeout
    RequestReadTimeout header=5 body=5

A connection made with `openssl s_client` correctly times out after 5 seconds
as expected:

    user@host:~$ time openssl s_client -quiet -host www.mydomain.test -port 443
    depth=0 CN = default.invalid
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 CN = default.invalid
    verify return:1

    real  0m5.082s
    user  0m0.006s
    sys   0m0.016s

However a connection made using `telnet` remains during 30 seconds, until
Apache core global `Timeout` value expires:

    user@host:~$ time telnet www.mydomain.test 443
    Trying 192.168.0.1...
    Connected to mydomain.test.
    Escape character is '^]'.
    Connection closed by foreign host.

    real  0m30.028s
    user  0m0.003s
    sys   0m0.012s

The expected behavior is for this connection to be interrupted after 5 seconds
too, as defined in the `RequestReadTimeout` setting.

For reference, `mod_reqtimeout` documentation[1] seems to imply that its
timeout should cover the SSL handshake ("If a common configuration is used for
http and https virtual hosts, the timeouts should not be set too low") which
does not seem to the be case here, hence the bug report.

Moreover, `mod_reqtimeout` is cited by Wikipedia[2] as the "the official
solution supported by the developers" to mitigate Slowloris class of attacks.
The fact that it does not impose any timeout on the SSL handshake strongly
limits its effectiveness for such use.

[1]: https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html
[2]:
https://en.wikipedia.org/wiki/Slowloris_(computer_security)#Mitigating_the_Slowloris_attack

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org