** Description changed: ## DRAFT ## [Impact] When running TCP Defensics suite which sends corrupt packages towards vip__public port 443, the suite is hanging after the half suite because there are no free connections. The connections will be in state "established" ~ 2 hours. - 1.2. Detailed trouble description - # ip netns exec haproxy netstat -npea | grep XXX.XXX.XXX.XXX | grep -i establish | grep 443 - tcp 0 0 XXX.XXX.XXX.XXX:443 YYY.YY.YYY.YY:2940 ESTABLISHED 115 81148003 29817/haproxy - tcp 0 0 XXX.XXX.XXX.XXX:443 YY.YY.YYY.YY:24979 ESTABLISHED 115 81802005 29817/haproxy - tcp 0 0 XXX.XXX.XXX.XXX:443 YY.YY.YYY.YY:19394 ESTABLISHED 115 81782263 29817/haproxy - tcp 0 0 XXX.XXX.XXX.XXX:443 YY.YY.YYY.YY:13931 ESTABLISHED 115 81752052 29817/haproxy - tcp 0 0 XXX.XXX.XXX.XXX:443 YY.YY.YYY.YY:12668 ESTABLISHED 115 81743719 29817/haproxy - tcp 0 0 XXX.XXX.XXX.XXX:443 YY.YY.YYY.YY:2961 ESTABLISHED 115 81139548 29817/haproxy - tcp 0 0 XXX.XXX.XXX.XXX:443 YY.YY.YYY.YY:8918 ESTABLISHED 115 81738132 29817/haproxy - tcp 0 0 XXX.XXX.XXX.XXX:443 YY.YY.YYY.YY:2957 ESTABLISHED 115 81148041 29817/haproxy - tcp 0 0 XXX.XXX.XXX.XXX:443 YY.YY.YYY.YY:10552 ESTABLISHED 115 81744903 29817/haproxy + 1.2. Detailed trouble description + # ip netns exec haproxy netstat -npea | grep XXX.XXX.XXX.XXX | grep -i establish | grep 443 + tcp 0 0 XXX.XXX.XXX.XXX:443 YYY.YY.YYY.YY:2940 ESTABLISHED 115 81148003 29817/haproxy + tcp 0 0 XXX.XXX.XXX.XXX:443 YY.YY.YYY.YY:24979 ESTABLISHED 115 81802005 29817/haproxy + tcp 0 0 XXX.XXX.XXX.XXX:443 YY.YY.YYY.YY:19394 ESTABLISHED 115 81782263 29817/haproxy + tcp 0 0 XXX.XXX.XXX.XXX:443 YY.YY.YYY.YY:13931 ESTABLISHED 115 81752052 29817/haproxy + tcp 0 0 XXX.XXX.XXX.XXX:443 YY.YY.YYY.YY:12668 ESTABLISHED 115 81743719 29817/haproxy + tcp 0 0 XXX.XXX.XXX.XXX:443 YY.YY.YYY.YY:2961 ESTABLISHED 115 81139548 29817/haproxy + tcp 0 0 XXX.XXX.XXX.XXX:443 YY.YY.YYY.YY:8918 ESTABLISHED 115 81738132 29817/haproxy + tcp 0 0 XXX.XXX.XXX.XXX:443 YY.YY.YYY.YY:2957 ESTABLISHED 115 81148041 29817/haproxy + tcp 0 0 XXX.XXX.XXX.XXX:443 YY.YY.YYY.YY:10552 ESTABLISHED 115 81744903 29817/haproxy - - This issue can be resolved by enabling the parameter(mod_reqtimeout). This parameter is available in apache 2.4.39 (released on 2019-04-01). + This issue can be resolved by enabling the parameter(mod_reqtimeout). + This parameter is available in apache 2.4.39 (released on 2019-04-01). [Test Case] [Regression Potential] + + * The backport already exist in Bionic/Disco (done by security team via + the security channel) + + * It is also backported upstream into 2.4 (branch : 2.4.x) + [Other Info] [Original description] Backport the handshake feature in mod_reqtimeout (in Apache 2.4.39) to Apache 2.4.18. Lack of this feature was exhausting free connections when sent corrupted packets.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1846138 Title: backport mod_reqtimeout with handshake support To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1846138/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
