Re: [PATCH] SSL Server connect I/O timeout

From: Tsantilas Christos <chtsanti_at_users.sourceforge.net>
Date: Thu, 10 Jul 2014 17:08:07 +0300

If there are no objections I will apply this patch to trunk

Regards,
    Christos

On 06/27/2014 06:38 PM, Tsantilas Christos wrote:
> Hi all,
>
> Currently FwdState::negotiateSSL() operates on a TCP connection
> without a timeout. If, for example, the server never responds to Squid
> SSL Hello, the connection getstuck forever. This happens in real world
> when, for example, a client is trying to establish an SSL connection
> through bumping Squid to an HTTP server that does not speak SSL and
> does not detect initial request garbage (from HTTP point of view)
>
> Moreover, if the client closes the connection while Squid is
> fruitlessly waiting for server SSL negotiation, the client connection
> will get into the CLOSE_WAIT state with a 1 day client_lifetime
> timeout. This patch does not address that CLOSE_WAIT problem directly.
>
> This patch adds an SSL negotiation timeout for the server SSL
> connection and try to not exceed forword_timeout or peer_timeout while
> connecting to an SSL server.
>
> Some notes:
> - In this patch still the timeouts used for Ssl::PeerConnector are
> not accurate, they may be 5 secs more then the forward timeout or 1
> second more than peer_connect timeout, but I think are enough reasonable.
>
> - Please check and comment the new
> Comm::Connection::startTime()/::noteStart() mechanism.
> Now the Comm::Connection::startTime_ computed in Comm::Connection
> constructor and resets in Comm::ConnOpener::start() and
> Comm::TcpAcceptor::start()
>
>
> This is a Measurement Factory project.
Received on Thu Jul 10 2014 - 14:08:15 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 10 2014 - 12:00:13 MDT