> > I was wondering how I could protect a Twisted server from evil clients > > initiating, but never completing a TLS handshake. > > > > connectionMade is only called when the TLS handshake has completed, right? > > > > When doing listenSSL, is there a hook which is fired right after the > > TCP handshake is complete, before the TLS handshake begins, so that I > > can setup a callLater/dropConnection timeout? > > > > This is the piece I am missing, since for TCP-level protection (Syn > > floods etc), I can use kernel parameters / kernel packet filtering, > > and for app-level protection (I do WebSockets .. which also has a > > handshake) I > can timeout that. > > > > I like to do above without requiring a frontend TLS terminator / firewall .. > One thing to do (perhaps the easiest) is, instead of listenSSL, doing > listenTCP > and then startTLS in the protocol's connectionMade. This would let you set a > timeout that calls abortConnection in connectionMade.
Thanks! That sounds reasonable and easy enough. Also thanks for pointing to abortConnection() .. which is also a good thing in the context of DoS protection .. \Tobias _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
