Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add timeout for TLS handshakes #1514

Merged
merged 3 commits into from
Oct 7, 2024
Merged

Add timeout for TLS handshakes #1514

merged 3 commits into from
Oct 7, 2024

Conversation

fuzzypixelz
Copy link
Member

After establishing a TCP connections, the TLS link waits for the TLS handshake to complete in rustls. If the TLS handshake never takes place, then the TLS link waits forever and no one else can establish a Zenoh session. It is thus possible to block a router with a TLS on tls/127.0.0.1:7447 listener from servicing any incoming connections with the following:

fn main() {
    let _stream = TcpStream::connect("127.0.0.1:7447")?;
    thread::park();
}

@fuzzypixelz fuzzypixelz added the bug Something isn't working label Oct 4, 2024
gabrik
gabrik requested changes Oct 5, 2024
View reviewed changes
io/zenoh-links/zenoh-link-tls/src/unicast.rs Outdated Show resolved Hide resolved
io/zenoh-links/zenoh-link-tls/src/lib.rs Outdated
@@ -81,6 +81,8 @@ zconfigurable! {
// Amount of time in microseconds to throttle the accept loop upon an error.
// Default set to 100 ms.
static ref TLS_ACCEPT_THROTTLE_TIME: u64 = 100_000;
/// The time duration in milliseconds to wait for the TLS handshake to complete.
static ref TLS_HANDSHAKE_TIMEOUT_MS: u64 = 10_000;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should this be configurable?

@gabrik
Copy link
Contributor

gabrik commented Oct 5, 2024

I'm thinking if we should also spawn a task on accept, or have a task pool where we sent the accepted socket before waiting for the the TLS handshake to complete.

@fuzzypixelz
Copy link
Member Author

fuzzypixelz commented Oct 7, 2024
edited
Loading

I'm thinking if we should also spawn a task on accept, or have a task pool where we sent the accepted socket before waiting for the the TLS handshake to complete.

Yes, this is effectively what the tls-listener crate does.

We should be careful as tls-listener has had CVE-2024-28854 where it was vulnerable to a slow-loris DoS attack.

@gabrik
Copy link
Contributor

gabrik commented Oct 7, 2024

I think we need to add a key in order to make the timeout configurable, see: https://github.com/eclipse-zenoh/zenoh/blob/tls-handshake-timeout/io/zenoh-links/zenoh-link-tls/src/lib.rs#L88

@fuzzypixelz
Copy link
Member Author

I think we need to add a key in order to make the timeout configurable, see: https://github.com/eclipse-zenoh/zenoh/blob/tls-handshake-timeout/io/zenoh-links/zenoh-link-tls/src/lib.rs#L88

Those keys are for runtime configuration, but TLS_HANDSHAKE_TIMEOUT_MS is a compile-time constant. Maybe we should make this runtime-configurable.

@gabrik
Copy link
Contributor

gabrik commented Oct 7, 2024

Those keys are for runtime configuration, but TLS_HANDSHAKE_TIMEOUT_MS is a compile-time constant. Maybe we should make this runtime-configurable.

I think it must be runtime-configurable as the timeout depends the deployment

@gabrik gabrik merged commit 0985806 into main Oct 7, 2024
24 checks passed
@gabrik gabrik deleted the tls-handshake-timeout branch October 7, 2024 12:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gabrik gabrik gabrik approved these changes

@oteffahi oteffahi oteffahi approved these changes

@OlivierHecart OlivierHecart Awaiting requested review from OlivierHecart

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@fuzzypixelz @gabrik @oteffahi