Security Advisory
Versions prior to this using the default configuration are vulnerable to a Slowloris attack.
This version mitigates the vulnerability.
Previous versions can mitigate the vulnerability by increasing the value passed to Builder::max_handshakes to a large
number (such as usize::MAX). Decreasing the handshake_timeout can also help, although it is still strongly recommended
to increase the max_handshakes more than the current default.
Changes
- [breaking] Change
poll_acceptnot to have a limit on the number of pending handshakes in the queue,
so that connections that are not making progress towards completing the handshake will not block other
connections from being accepted. This replacesBuilder::max_handshakeswithBuilder::accept_batch_size.