New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix race condition when setting up client https connection #20228 #20243
Conversation
Can one of the repo owners verify this patch? |
OK TO TEST |
LGTM – Thanks for the fix (and finding it in the first place)! The better fix mentioned is tricky to pull off, I wonder if we really would be able to do it in a nice way. |
clone.setUseCipherSuitesOrder(parameters.getUseCipherSuitesOrder) | ||
|
||
clone | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can be done in one go without cloning the params if hostInfo
is None
:
private def applySNI(params: NegotiateNewSession): Unit = for {
sslParams <- params.sslParameters
(hostname, _) <- hostInfo
} yield {
//first copy the mutable SLLParameters before modifying to prevent race condition in `setServerNames`
val clone = new SSLParameters()
clone.setCipherSuites(sslParams.getCipherSuites)
clone.setProtocols(sslParams.getProtocols)
clone.setWantClientAuth(sslParams.getWantClientAuth)
clone.setNeedClientAuth(sslParams.getNeedClientAuth)
clone.setEndpointIdentificationAlgorithm(sslParams.getEndpointIdentificationAlgorithm)
clone.setAlgorithmConstraints(sslParams.getAlgorithmConstraints)
clone.setSNIMatchers(sslParams.getSNIMatchers)
clone.setUseCipherSuitesOrder(sslParams.getUseCipherSuitesOrder)
// apply the changes
clone.setServerNames(Collections.singletonList(new SNIHostName(hostname)))
engine.setSSLParameters(clone)
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
setServerNames
is called only once here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll be touching this area in a PR in the next hour or so, will apply this idea – thanks @2Beaucoup!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
Test PASSed. |
Thanks again @markvandertol 👍 |
As discussed in #20228
Fixes a race condition when multiple connections are setup simultaneously that could result in an error when setting up a https connection or sending the wrong SNI to the server.
A better fix would have been to not pass around a mutable SSLParameters object between actors, but that cannot be done without breaking the public api.