The server socket does not have a socket timeout defined. It is possible for a rogue connection to cause the server to be permanently stuck in the SSL handshake.
To repro:
Start server
telnet <host> <port> #to establish a connection without completing the SSL handshake
All future connections will be blocked
Adding a defaulttimeout seems to fix this.
diff --git a/kmip/services/server/server.py b/kmip/services/server/server.py
index a020db3..b5c20b4 100644
--- a/kmip/services/server/server.py
+++ b/kmip/services/server/server.py
@@ -336,6 +336,7 @@ class KmipServer(object):
as connections are handled. Set up signal handling to shutdown
connection service as needed.
"""
+ socket.setdefaulttimeout(10)
self._socket.listen(5)
def _signal_handler(signal_number, stack_frame):
Log:
2018-04-24 13:04:33,255 - kmip.server - ERROR - _ssl.c:629: The handshake operation timed out
Traceback (most recent call last):
File "/home/ubuntu/PyKMIP/kmip/services/server/server.py", line 359, in serve
connection, address = self._socket.accept()
File "/usr/lib/python3.5/ssl.py", line 1035, in accept
server_side=True)
File "/usr/lib/python3.5/ssl.py", line 377, in wrap_socket
_context=self)
File "/usr/lib/python3.5/ssl.py", line 752, in __init__
self.do_handshake()
File "/usr/lib/python3.5/ssl.py", line 988, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib/python3.5/ssl.py", line 633, in do_handshake
self._sslobj.do_handshake()
socket.timeout: _ssl.c:629: The handshake operation timed out
The text was updated successfully, but these errors were encountered:
This change fixes a potential denial-of-service bug with the
server, setting a default timeout for all server sockets. This
allows the server to drop hung connections without blocking
forever. The interrupt triggered during accept calls is expected
and is now handled appropriately. Server unit tests have been
updated to reflect this change.
Closes#430
The server socket does not have a socket timeout defined. It is possible for a rogue connection to cause the server to be permanently stuck in the SSL handshake.
To repro:
telnet <host> <port>#to establish a connection without completing the SSL handshakeAdding a defaulttimeout seems to fix this.
Log:
The text was updated successfully, but these errors were encountered: