Security Advisory
Versions prior to this using the default configuration are vulnerable to a Slowloris attack.
This version mitigates the vulnerability.
Previous versions can mitigate the vulnerability by increasing the value passed to Builder::max_handshakes
to a large
number (such as usize::MAX
). Decreasing the handshake_timeout
can also help, although it is still strongly recommended
to increase the max_handshakes
more than the current default.
Changes
- [breaking] Change
poll_accept
not to have a limit on the number of pending handshakes in the queue,
so that connections that are not making progress towards completing the handshake will not block other
connections from being accepted. This replacesBuilder::max_handshakes
withBuilder::accept_batch_size
.