What happens if you check for input (using select()) after the tcp accept() and before the SSL_accept() ?
Jasper -----Oorspronkelijk bericht----- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens Tim Regovich Verzonden: dinsdag 4 februari 2003 22:09 Aan: [EMAIL PROTECTED] Onderwerp: RE: SSL_accept hang This doesn't really solve the problem of timeouts, as you will now have a dead thread lying around. Tim --- Jasper Spit <[EMAIL PROTECTED]> wrote: > Don't know if this is appropriate for you, but if > you're using a > multithreaded app, make sure the SSL_accept call > takes place in a > seperate thread (dedicated for that client). That > way if the connecting > party never initiates or completes a handshake, your application will > still be able to serve other clients. > > BTW, there's no need for non-blocking I/O if you use > a multithreaded > server. You can build your own timeout mechanism > using e.g. select() > prior to each read or write. This works fine for me, > and is platform > independent. > > -----Oorspronkelijk bericht----- > Van: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] Namens Skip Rhudy > Verzonden: vrijdag 24 januari 2003 21:43 > Aan: [EMAIL PROTECTED] > Onderwerp: SSL_accept hang > > > > Hello all, > > > > Recently we encountered behavior with SSL_accept() > that can be exploited > as a DOS attack. I've noticed a similar thread > posted, but it focuses on > Apache (Slapper denial-of-service problem - why > isn't this fixed?) > > > > We use OpenSSL on in a Win2k environment. The latest > code we have is > 0.9.6h. > > > > If SSL_accept is called in blocking i/o mode, and > the client on the > other end never initiates a handshake, or never > sends any data at all, > the SSL_accept() call never returns. > > > > In the case of the particular server we are using, > once that happens, > further TCP accepts are blocked and so once the > Winsock accept queue is > full, the server stops responding. > > > > This can be confirmed using telnet to the SSL listen > port. If telnet > sends no data, the SSL library doesn't seem to > timeout. Is there a > timeout for handshake begin on the SSL_accept side? > Is this a known > issue? It sounds the same as the Slapper > denial-of-service problem. > > > > Regards, > > Skip > > > > > > > > > > There are traders and there are CyberTraders. > <http://www.cybertrader.com/> > http://www.cybertrader.com/ > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > CyberTrader does not accept buy or sell orders or > cancels > through this medium and is not responsible for any > orders > so placed. The information transmitted is intended > only > for the person or entity to which it is addressed > and > may contain confidential and/or privileged material. > > Any review, retransmission, dissemination or other > use > of, or taking of any action in reliance upon, this > information by persons or entities other than the > intended recipient is prohibited. If you received > this > in error, please contact the sender and delete the > material > from any computer. > > WARNING: All email sent to or from this address will > be > received or otherwise recorded by the Charles Schwab > > corporate email system and is subject to archival, > monitoring or review by, and / or disclosure to, > someone > other than the recipient. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
