GitHub user shinrich opened a pull request:
https://github.com/apache/trafficserver/pull/669
TS-4661: SSL Client Connections not closed.
Ultimately the issue was that SSL connections that stall in the
ProtocolTrampoline never have the inactivity timeout cleanup. The problem was
introduced in 6.0.0 due to an unfortunately interaction between the addition of
the ssl_handshake_timeout_in and inactivity_timeout mechanism.
The problem occurs when ssl_handshake_timeout_in is set to 0, which is the
scenario that @bcall and I were testing. This causes
vc->set_inactivity_timeout(0) to be called. This sets
vc->inactivity_timeout_in to 0 and vc->next_inactivity_timeout_at to current
time.
Looking at UnixNetVConnection::mainEvent, the inactivity timeout event is
not propagate if inactivity_timeout_in is 0 even if next_inactivity_timeout_at
is non-zero and less than the current time.
Looking at check_inactivity, if next_inactivity_timeout_at is 0, it will
call vc->set_inactivity_timeout with the default_inactivity_timeout.
But since next_inactivity_timeout_at is not 0, the default is never set and
inactivity_timeout_in is never set to non-zero, so the inactivity_timeout
signal is never propagated and thus the connection is never closed.
I adjusted set_inactivity_timeout to not set the next_inactivity_timeout_at
if the argument is 0. This fix has been tested in production against the 6.2
code, and the client connections all close after the box is removed from
traffic.
This patch also includes a fix to add the Http1ClientSessions to the
appropriate _queues. That fix will be needed eventually, but wasn't essential
for this particular scenario.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/shinrich/trafficserver ts-4461
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/trafficserver/pull/669.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #669
----
commit a559295f4c36677e1f8044ac259591ce5bb48830
Author: Susan Hinrichs <[email protected]>
Date: 2016-05-26T02:09:48Z
TS-4661: SSL Client Connections not closed.
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
