Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

consider adding a default negotiate timeout #4387

Open
jmayclin opened this issue Jan 30, 2024 · 0 comments
Open

consider adding a default negotiate timeout #4387

jmayclin opened this issue Jan 30, 2024 · 0 comments
Labels
priority/low Rank 4 size/small

Comments

@jmayclin
Copy link
Contributor

jmayclin commented Jan 30, 2024
edited by goatgoose

Problem:

Currently consumers of s2n-tls are responsible for implementing reasonable timeouts to deal with malicious behavior.

Solution:

s2n-tls could implement a reasonable timeout (e.g. 10 seconds) to make default usage of s2n-tls more resilient and efficient. s2n-quic has similar protections in place.

Requirements / Acceptance Criteria:

Customers that write naive event loops without timeouts should have some basic level of protection against simple slow-loris style attacks.

Out of scope:

Even if this is infeasible for the C library due to backwards compatibility concerns, we might consider doing it for a smaller subset of customers. Perhaps just the rust bindings.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority/low Rank 4 size/small
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@goatgoose @jmayclin