Re: [PATCH] SSL Server connect I/O timeout

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 11 Jul 2014 02:23:09 +1200

On 28/06/2014 3:38 a.m., Tsantilas Christos wrote:
> Hi all,
>
> Currently FwdState::negotiateSSL() operates on a TCP connection without
> a timeout. If, for example, the server never responds to Squid SSL
> Hello, the connection getstuck forever. This happens in real world when,
> for example, a client is trying to establish an SSL connection through
> bumping Squid to an HTTP server that does not speak SSL and does not
> detect initial request garbage (from HTTP point of view)
>
> Moreover, if the client closes the connection while Squid is fruitlessly
> waiting for server SSL negotiation, the client connection will get into
> the CLOSE_WAIT state with a 1 day client_lifetime timeout. This patch
> does not address that CLOSE_WAIT problem directly.
>
> This patch adds an SSL negotiation timeout for the server SSL connection
> and try to not exceed forword_timeout or peer_timeout while connecting
> to an SSL server.
>
> Some notes:
> - In this patch still the timeouts used for Ssl::PeerConnector are not
> accurate, they may be 5 secs more then the forward timeout or 1 second
> more than peer_connect timeout, but I think are enough reasonable.
>
> - Please check and comment the new
> Comm::Connection::startTime()/::noteStart() mechanism.
> Now the Comm::Connection::startTime_ computed in Comm::Connection
> constructor and resets in Comm::ConnOpener::start() and
> Comm::TcpAcceptor::start()
>
>
> This is a Measurement Factory project.

+1. Please apply ASAP.

Amos
Received on Thu Jul 10 2014 - 14:23:19 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 11 2014 - 12:00:11 MDT