Re: [PATCH] SSL Server connect I/O timeout
On 28/06/2014 3:38 a.m., Tsantilas Christos wrote: > Hi all, > > Currently FwdState::negotiateSSL() operates on a TCP connection without > a timeout. If, for example, the server never responds to Squid SSL > Hello, the connection getstuck forever. This happens in real world when, > for example, a client is trying to establish an SSL connection through > bumping Squid to an HTTP server that does not speak SSL and does not > detect initial request garbage (from HTTP point of view) > > Moreover, if the client closes the connection while Squid is fruitlessly > waiting for server SSL negotiation, the client connection will get into > the CLOSE_WAIT state with a 1 day client_lifetime timeout. This patch > does not address that CLOSE_WAIT problem directly. > > This patch adds an SSL negotiation timeout for the server SSL connection > and try to not exceed forword_timeout or peer_timeout while connecting > to an SSL server. > > Some notes: > - In this patch still the timeouts used for Ssl::PeerConnector are not > accurate, they may be 5 secs more then the forward timeout or 1 second > more than peer_connect timeout, but I think are enough reasonable. > > - Please check and comment the new > Comm::Connection::startTime()/::noteStart() mechanism. > Now the Comm::Connection::startTime_ computed in Comm::Connection > constructor and resets in Comm::ConnOpener::start() and > Comm::TcpAcceptor::start() > > > This is a Measurement Factory project. +1. Please apply ASAP. Amos
Re: [PATCH] SSL Server connect I/O timeout
If there are no objections I will apply this patch to trunk Regards, Christos On 06/27/2014 06:38 PM, Tsantilas Christos wrote: Hi all, Currently FwdState::negotiateSSL() operates on a TCP connection without a timeout. If, for example, the server never responds to Squid SSL Hello, the connection getstuck forever. This happens in real world when, for example, a client is trying to establish an SSL connection through bumping Squid to an HTTP server that does not speak SSL and does not detect initial request garbage (from HTTP point of view) Moreover, if the client closes the connection while Squid is fruitlessly waiting for server SSL negotiation, the client connection will get into the CLOSE_WAIT state with a 1 day client_lifetime timeout. This patch does not address that CLOSE_WAIT problem directly. This patch adds an SSL negotiation timeout for the server SSL connection and try to not exceed forword_timeout or peer_timeout while connecting to an SSL server. Some notes: - In this patch still the timeouts used for Ssl::PeerConnector are not accurate, they may be 5 secs more then the forward timeout or 1 second more than peer_connect timeout, but I think are enough reasonable. - Please check and comment the new Comm::Connection::startTime()/::noteStart() mechanism. Now the Comm::Connection::startTime_ computed in Comm::Connection constructor and resets in Comm::ConnOpener::start() and Comm::TcpAcceptor::start() This is a Measurement Factory project.