Repository: trafficserver Updated Branches: refs/heads/master 65fa4ec51 -> 9a1b0fcf0
[TS-3727]: Add a timer for SSL server handshake duration. Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/9a1b0fcf Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/9a1b0fcf Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/9a1b0fcf Branch: refs/heads/master Commit: 9a1b0fcf098ff104dd375f99ad650a4e426f56fd Parents: 65fa4ec Author: Sudheer Vinukonda <[email protected]> Authored: Tue Jun 30 15:28:35 2015 +0000 Committer: Sudheer Vinukonda <[email protected]> Committed: Tue Jun 30 15:28:35 2015 +0000 ---------------------------------------------------------------------- iocore/net/P_SSLConfig.h | 1 + iocore/net/SSLConfig.cc | 3 +++ iocore/net/SSLNetVConnection.cc | 16 ++++++++++++++++ iocore/net/SSLNextProtocolAccept.cc | 1 - mgmt/RecordsConfig.cc | 2 ++ 5 files changed, 22 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/9a1b0fcf/iocore/net/P_SSLConfig.h ---------------------------------------------------------------------- diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h index 68dd50f..1a6cd60 100644 --- a/iocore/net/P_SSLConfig.h +++ b/iocore/net/P_SSLConfig.h @@ -92,6 +92,7 @@ struct SSLConfigParams : public ConfigInfo { static int ssl_ocsp_cache_timeout; static int ssl_ocsp_request_timeout; static int ssl_ocsp_update_period; + static int ssl_handshake_timeout_in; static size_t session_cache_number_buckets; static size_t session_cache_max_bucket_size; http://git-wip-us.apache.org/repos/asf/trafficserver/blob/9a1b0fcf/iocore/net/SSLConfig.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc index 8e7766d..0690655 100644 --- a/iocore/net/SSLConfig.cc +++ b/iocore/net/SSLConfig.cc @@ -48,6 +48,7 @@ bool SSLConfigParams::ssl_ocsp_enabled = false; int SSLConfigParams::ssl_ocsp_cache_timeout = 3600; int SSLConfigParams::ssl_ocsp_request_timeout = 10; int SSLConfigParams::ssl_ocsp_update_period = 60; +int SSLConfigParams::ssl_handshake_timeout_in = 0; size_t SSLConfigParams::session_cache_number_buckets = 1024; bool SSLConfigParams::session_cache_skip_on_lock_contention = false; size_t SSLConfigParams::session_cache_max_bucket_size = 100; @@ -269,6 +270,8 @@ SSLConfigParams::initialize() REC_EstablishStaticConfigInt32(ssl_ocsp_request_timeout, "proxy.config.ssl.ocsp.request_timeout"); REC_EstablishStaticConfigInt32(ssl_ocsp_update_period, "proxy.config.ssl.ocsp.update_period"); + REC_ReadConfigInt32(ssl_handshake_timeout_in, "proxy.config.ssl.handshake_timeout_in"); + // ++++++++++++++++++++++++ Client part ++++++++++++++++++++ client_verify_depth = 7; REC_ReadConfigInt32(clientVerify, "proxy.config.ssl.client.verify.server"); http://git-wip-us.apache.org/repos/asf/trafficserver/blob/9a1b0fcf/iocore/net/SSLNetVConnection.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc index 60061fd..f9092db 100644 --- a/iocore/net/SSLNetVConnection.cc +++ b/iocore/net/SSLNetVConnection.cc @@ -465,6 +465,17 @@ SSLNetVConnection::net_read_io(NetHandler *nh, EThread *lthread) this->read.triggered = 0; readSignalError(nh, err); } else if (ret == SSL_HANDSHAKE_WANT_READ || ret == SSL_HANDSHAKE_WANT_ACCEPT) { + if (SSLConfigParams::ssl_handshake_timeout_in > 0) { + double handshake_time = ((ink_get_hrtime_internal() - sslHandshakeBeginTime)/1000000000); + Debug ("ssl", "ssl handshake for vc %p, took %.3f seconds, configured handshake_timer: %d", this, handshake_time, SSLConfigParams::ssl_handshake_timeout_in); + if (handshake_time > SSLConfigParams::ssl_handshake_timeout_in) { + Debug ("ssl", "ssl handshake for vc %p, expired, release the connection", this); + read.triggered = 0; + nh->read_ready_list.remove(this); + readSignalError(nh, VC_EVENT_EOS); + return; + } + } read.triggered = 0; nh->read_ready_list.remove(this); readReschedule(nh); @@ -839,6 +850,11 @@ SSLNetVConnection::free(EThread *t) int SSLNetVConnection::sslStartHandShake(int event, int &err) { + if (sslHandshakeBeginTime == 0) { + sslHandshakeBeginTime = ink_get_hrtime_internal(); + // net_activity will not be triggered until after the handshake + set_inactivity_timeout(HRTIME_SECONDS(SSLConfigParams::ssl_handshake_timeout_in)); + } switch (event) { case SSL_EVENT_SERVER: if (this->ssl == NULL) { http://git-wip-us.apache.org/repos/asf/trafficserver/blob/9a1b0fcf/iocore/net/SSLNextProtocolAccept.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLNextProtocolAccept.cc b/iocore/net/SSLNextProtocolAccept.cc index 6399e1d..08b5920 100644 --- a/iocore/net/SSLNextProtocolAccept.cc +++ b/iocore/net/SSLNextProtocolAccept.cc @@ -117,7 +117,6 @@ SSLNextProtocolAccept::mainEvent(int event, void *edata) { SSLNetVConnection *netvc = ssl_netvc_cast(event, edata); - netvc->sslHandshakeBeginTime = Thread::get_hrtime(); Debug("ssl", "[SSLNextProtocolAccept:mainEvent] event %d netvc %p", event, netvc); switch (event) { http://git-wip-us.apache.org/repos/asf/trafficserver/blob/9a1b0fcf/mgmt/RecordsConfig.cc ---------------------------------------------------------------------- diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc index 0f9d8c8..b6a0922 100644 --- a/mgmt/RecordsConfig.cc +++ b/mgmt/RecordsConfig.cc @@ -1282,6 +1282,8 @@ static const RecordElement RecordsConfig[] = , {RECT_CONFIG, "proxy.config.ssl.server.dhparams_file", RECD_STRING, NULL, RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL} , + {RECT_CONFIG, "proxy.config.ssl.handshake_timeout_in", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-65535]", RECA_NULL} + , //############################################################################## //# //# OCSP (Online Certificate Status Protocol) Stapling Configuration
