[PATCH] SSL Server connect I/O timeout

From: Tsantilas Christos <chtsanti_at_users.sourceforge.net>
Date: Fri, 27 Jun 2014 18:38:02 +0300

Hi all,

Currently FwdState::negotiateSSL() operates on a TCP connection without
a timeout. If, for example, the server never responds to Squid SSL
Hello, the connection getstuck forever. This happens in real world when,
for example, a client is trying to establish an SSL connection through
bumping Squid to an HTTP server that does not speak SSL and does not
detect initial request garbage (from HTTP point of view)

Moreover, if the client closes the connection while Squid is fruitlessly
waiting for server SSL negotiation, the client connection will get into
the CLOSE_WAIT state with a 1 day client_lifetime timeout. This patch
does not address that CLOSE_WAIT problem directly.

This patch adds an SSL negotiation timeout for the server SSL connection
and try to not exceed forword_timeout or peer_timeout while connecting
to an SSL server.

Some notes:
  - In this patch still the timeouts used for Ssl::PeerConnector are not
accurate, they may be 5 secs more then the forward timeout or 1 second
more than peer_connect timeout, but I think are enough reasonable.

  - Please check and comment the new
Comm::Connection::startTime()/::noteStart() mechanism.
Now the Comm::Connection::startTime_ computed in Comm::Connection
constructor and resets in Comm::ConnOpener::start() and
Comm::TcpAcceptor::start()

This is a Measurement Factory project.

Received on Fri Jun 27 2014 - 15:38:18 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 27 2014 - 12:00:13 MDT