[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-dev
Subject:    Re: [PATCH] SSL Server connect I/O timeout
From:       Amos Jeffries <squid3 () treenet ! co ! nz>
Date:       2014-07-10 14:23:09
Message-ID: 53BEA1CD.8090008 () treenet ! co ! nz
[Download RAW message or body]

On 28/06/2014 3:38 a.m., Tsantilas Christos wrote:
> Hi all,
> 
> Currently FwdState::negotiateSSL() operates on a TCP connection without
> a timeout. If, for example, the server never responds to Squid SSL
> Hello, the connection getstuck forever. This happens in real world when,
> for example, a client is trying to establish an SSL connection through
> bumping Squid to an HTTP server that does not speak SSL and does not
> detect initial request garbage (from HTTP point of view)
> 
> Moreover, if the client closes the connection while Squid is fruitlessly
> waiting for server SSL negotiation, the client connection will get into
> the CLOSE_WAIT state with a 1 day client_lifetime timeout.  This patch
> does not address that CLOSE_WAIT problem directly.
> 
> This patch adds an SSL negotiation timeout for the server SSL connection
> and try to not exceed forword_timeout or peer_timeout while connecting
> to an SSL server.
> 
> Some notes:
>  - In this patch still the timeouts used for Ssl::PeerConnector are not
> accurate, they may be 5 secs more then the forward timeout or 1 second
> more than peer_connect timeout, but I think are enough reasonable.
> 
>  - Please check and comment the new
> Comm::Connection::startTime()/::noteStart() mechanism.
> Now the Comm::Connection::startTime_ computed in Comm::Connection
> constructor and resets in Comm::ConnOpener::start() and
> Comm::TcpAcceptor::start()
> 
> 
> This is a Measurement Factory project.


+1. Please apply ASAP.

Amos
[prev in list] [next in list] [prev in thread] [next in thread]