Full_Name: Fred Romelfanger
Version: 2.8.7
OS: Solaris
Submission from: (NULL) (130.167.114.38)
I noticed that during a stress test, that I would see the following
error ocassionally.
[Thu Mar 21 12:14:29 2002] [error] mod_ssl: SSL handshake timed out (client
130.167.114.38, server hoth.stsci.edu:443)
When the timeout occurs one of my threads (in java) that is making the
https connection locks up.
I believe the timeout is not being reset if some sort of error that
occurs on a prior pass through the module. In ssl_hook_NewConnection
a timeout is setup prior to the while loop, and then the timeout
is removed at the end of the while loop. There are several instances
within the while loop where the code can retrun, but not clear the
timeout. If I move the timeout code so it is just around the
SSL_Accept call, the timeouts no longer occur:
/*
* We have to manage a I/O timeout ourself, because Apache
* does it the first time when reading the request, but we're
* working some time before this happens.
*/
ap_ctx_set(ap_global_ctx, "ssl::handshake::timeout", (void *)FALSE);
ap_set_callback_and_alarm(ssl_hook_TimeoutConnection, srvr->timeout);
rc = SSL_accept(ssl);
/*
* Remove the timeout handling
*/
ap_set_callback_and_alarm(NULL, 0);
ap_ctx_set(ap_global_ctx, "ssl::handshake::timeout", (void *)FALSE);
if( rc <= 0) {
My guess is that a timeout is being setup for a prior connection
and for some reason it is not being cleared. A later connection
comes in and gets artifically timed out. If this is correct this
has some denial of service implications with intentionally causing SSL
errors to prevent other users from being able to access the server.
The problem with the above fix is that I wasn't sure if any of the
other code in the while loop actually interacted with the client
application that could then get stuck in a read/write call.
Also the timeouts appear to be too short. I didn't understand that.
It looks like it is supposed to use the Timeout value from the apache
configuration file. I have this set to 300 (seconds), but the timeout
occurs sooner than that, so there maybe something else going on that
I don't see.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
