Clients glomming onto a listener

Tue, 10 May 2011 14:23:29 -0700 

Hi,
I have a service written in Perl, running on Linux that presents a very simple SSL listener. When this service is hit, it identifies the connecting node from its certificate/peer address and just sends some xml to them containing data from some files in the queue directory that contains their data. 

All the client does is to open a socket and start reading.


This works,  but it is susceptible to problems which I believe are 
caused by clients with bad internet connections (the pathology suggests 
this).  It seems that something unpleasant occurs in the SSL handshake 
process which causes the socket to hang indefinitely.  Nobody else can 
connect when this has happened.



I currently have a very crude monitor program that checks the activity 
log of the main service and,  if things go suspiciously quiet it 
restarts the listener service.  It also logs the result of a filtered 
run of 'netstat' which shows who was involved with the problem.  Some 
hosts feature a lot more regularly,  which leads me to believe is it 
some net environment problem.



But that's all a distraction.  The fact is that the service shouldn't be 
susceptible to the vagaries of what stupid clients or bad networks do.



I *do* get some action on my SSL_error_trap routine.  These errors log 
nicely and don't cause a hang and don't seem to coincide with any hangs.



Pretty much immediately after the accept the program forks a handler,  
but the rogue clients must be glomming onto the main process before the 
SSL negotiation is complete.



I can't help thinking that I should be able to tell SSL to have some 
sensible (fairly aggressive) timeouts on connections that fail to 
complete an SSL handshake.  Is this possible?  Does it sound like I'm 
even identifying the problem correctly?



I'm wondering if I could get more control by using accept in 
non-blocking mode.  Is this worth looking into?



I appreciate that if you suggest the use of any particular OpenSSL 
features,  I will have to dig around to see if those facilities are 
available via the IO::Socket::SSL library (or maybe more directly via 
the Net::SSLeay library). Any thoughts appreciated.


Perl version v5.8.8
program uses

use IO::Socket::SSL;
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org






















					Reply via email to