Fix race condition when setting up client https connection #20228 #20243
Conversation
|
Can one of the repo owners verify this patch? |
|
OK TO TEST |
|
LGTM – Thanks for the fix (and finding it in the first place)! The better fix mentioned is tricky to pull off, I wonder if we really would be able to do it in a nice way. |
| clone.setUseCipherSuitesOrder(parameters.getUseCipherSuitesOrder) | ||
|
|
||
| clone | ||
| } |
There was a problem hiding this comment.
This can be done in one go without cloning the params if hostInfo is None:
private def applySNI(params: NegotiateNewSession): Unit = for {
sslParams <- params.sslParameters
(hostname, _) <- hostInfo
} yield {
//first copy the mutable SLLParameters before modifying to prevent race condition in `setServerNames`
val clone = new SSLParameters()
clone.setCipherSuites(sslParams.getCipherSuites)
clone.setProtocols(sslParams.getProtocols)
clone.setWantClientAuth(sslParams.getWantClientAuth)
clone.setNeedClientAuth(sslParams.getNeedClientAuth)
clone.setEndpointIdentificationAlgorithm(sslParams.getEndpointIdentificationAlgorithm)
clone.setAlgorithmConstraints(sslParams.getAlgorithmConstraints)
clone.setSNIMatchers(sslParams.getSNIMatchers)
clone.setUseCipherSuitesOrder(sslParams.getUseCipherSuitesOrder)
// apply the changes
clone.setServerNames(Collections.singletonList(new SNIHostName(hostname)))
engine.setSSLParameters(clone)
}There was a problem hiding this comment.
setServerNames is called only once here.
There was a problem hiding this comment.
I'll be touching this area in a PR in the next hour or so, will apply this idea – thanks @2Beaucoup!
akka-ci
added
tested
|
Test PASSed. |
|
Thanks again @markvandertol 👍 |
As discussed in #20228
Fixes a race condition when multiple connections are setup simultaneously that could result in an error when setting up a https connection or sending the wrong SNI to the server.
A better fix would have been to not pass around a mutable SSLParameters object between actors, but that cannot be done without breaking the public api.