Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No socket timeout may lead to denial of service #430

Closed
stevebriskin opened this issue Apr 24, 2018 · 3 comments · Fixed by #432
Closed

No socket timeout may lead to denial of service #430

stevebriskin opened this issue Apr 24, 2018 · 3 comments · Fixed by #432

Comments

@stevebriskin
Copy link

The server socket does not have a socket timeout defined. It is possible for a rogue connection to cause the server to be permanently stuck in the SSL handshake.

To repro:

  • Start server
  • telnet <host> <port> #to establish a connection without completing the SSL handshake
  • All future connections will be blocked

Adding a defaulttimeout seems to fix this.

diff --git a/kmip/services/server/server.py b/kmip/services/server/server.py
index a020db3..b5c20b4 100644
--- a/kmip/services/server/server.py
+++ b/kmip/services/server/server.py
@@ -336,6 +336,7 @@ class KmipServer(object):
         as connections are handled. Set up signal handling to shutdown
         connection service as needed.
         """
+        socket.setdefaulttimeout(10)
         self._socket.listen(5)
 
         def _signal_handler(signal_number, stack_frame):

Log:

2018-04-24 13:04:33,255 - kmip.server - ERROR - _ssl.c:629: The handshake operation timed out
Traceback (most recent call last):
  File "/home/ubuntu/PyKMIP/kmip/services/server/server.py", line 359, in serve
    connection, address = self._socket.accept()
  File "/usr/lib/python3.5/ssl.py", line 1035, in accept
    server_side=True)
  File "/usr/lib/python3.5/ssl.py", line 377, in wrap_socket
    _context=self)
  File "/usr/lib/python3.5/ssl.py", line 752, in __init__
    self.do_handshake()
  File "/usr/lib/python3.5/ssl.py", line 988, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib/python3.5/ssl.py", line 633, in do_handshake
    self._sslobj.do_handshake()
socket.timeout: _ssl.c:629: The handshake operation timed out
@PeterHamilton
Copy link
Contributor

@stevebriskin Thanks for the filing this. I'll try to post a fix later today.

PeterHamilton added a commit that referenced this issue Apr 25, 2018
This change fixes a potential denial-of-service bug with the
server, setting a default timeout for all server sockets. This
allows the server to drop hung connections without blocking
forever. The interrupt triggered during accept calls is expected
and is now handled appropriately. Server unit tests have been
updated to reflect this change.

Closes #430
@PeterHamilton
Copy link
Contributor

@stevebriskin Thanks again for the reproducibility steps. They always make bug fixing a little bit easier.

@stevebriskin
Copy link
Author

@PeterHamilton thanks for the quick fix

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants