You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Susan Hinrichs (JIRA)" <ji...@apache.org> on 2014/11/18 19:37:34 UTC
[jira] [Comment Edited] (TS-1883) SSL origin connections do not
support connection timeouts
[ https://issues.apache.org/jira/browse/TS-1883?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14216557#comment-14216557 ]
Susan Hinrichs edited comment on TS-1883 at 11/18/14 6:37 PM:
--------------------------------------------------------------
Actually, if we look at the do_http_server_open() code in 5.x more closely, we see that only the CONNECT method will set up the timeouts here. See the code snippet below with some extra SKH comments.
It appears for the other methods, attach_server_session() sets up an inactivity timeout to enforce the connect timeout. This appears to hold for both http and https (if we are proxying the https). Verified by examining the code and setting break points while passing through requests.
In the non-proxy case, the SSL logic does not go through any of this. But I am assuming that this bug is concerning itself only with the proxied SSL connections.
if (scheme_to_use == URL_WKSIDX_HTTPS) {
DebugSM("http", "calling sslNetProcessor.connect_re");
int len = 0;
const char * host = t_state.hdr_info.server_request.host_get(&len);
opt.set_sni_servername(host, len);
connect_action_handle = sslNetProcessor.connect_re(this, // state machine
&t_state.current.server->addr.sa, // addr + port
&opt);
} else {
// SKH - If I'm anything other than a connect method, go ahead and set up the connections
if (t_state.method != HTTP_WKSIDX_CONNECT) {
DebugSM("http", "calling netProcessor.connect_re");
connect_action_handle = netProcessor.connect_re(this, // state machine
&t_state.current.server->addr.sa, // addr + port
&opt);
} else {
// Setup the timeouts
// Set the inactivity timeout to the connect timeout so that we
// we fail this server if it doesn't start sending the response
// header
MgmtInt connect_timeout;
// SKH Only t_state.method == HTTP_WKSIDX_CONNECT should get here, so this first case doesn't make any sense
// SKH In any case, the connect timeout is only passed into the connect_s code for the method=CONNECT case
if (t_state.method == HTTP_WKSIDX_POST || t_state.method == HTTP_WKSIDX_PUT) {
connect_timeout = t_state.txn_conf->post_connect_attempts_timeout;
} else if (t_state.current.server == &t_state.parent_info) {
connect_timeout = t_state.http_config_param->parent_connect_timeout;
} else {
if (t_state.pCongestionEntry != NULL)
connect_timeout = t_state.pCongestionEntry->connect_timeout();
else
connect_timeout = t_state.txn_conf->connect_attempts_timeout;
}
DebugSM("http", "calling netProcessor.connect_s");
connect_action_handle = netProcessor.connect_s(this, // state machine
&t_state.current.server->addr.sa, // addr + port
connect_timeout, &opt);
}
}
was (Author: shinrich):
Actually, if we look at the do_http_server_open() code in 5.x more closely, we see that only the CONNECT method will set up the timeouts here. See the code snippet below with some extra SKH comments. It appears for the other methods, attach_server_session() sets up an inactivity timeout to enforce the connect timeout. This appears to hold for both http and https (if we are proxying the https). I need to do some more investigation in the ssl code to complete my verification of this.
In the non-proxy case, the SSL logic does not go through any of this. But I was assuming that this bug is concerning itself only with the proxied SSL connections.
if (scheme_to_use == URL_WKSIDX_HTTPS) {
DebugSM("http", "calling sslNetProcessor.connect_re");
int len = 0;
const char * host = t_state.hdr_info.server_request.host_get(&len);
opt.set_sni_servername(host, len);
connect_action_handle = sslNetProcessor.connect_re(this, // state machine
&t_state.current.server->addr.sa, // addr + port
&opt);
} else {
// SKH - If I'm anything other than a connect method, go ahead and set up the connections
if (t_state.method != HTTP_WKSIDX_CONNECT) {
DebugSM("http", "calling netProcessor.connect_re");
connect_action_handle = netProcessor.connect_re(this, // state machine
&t_state.current.server->addr.sa, // addr + port
&opt);
} else {
// Setup the timeouts
// Set the inactivity timeout to the connect timeout so that we
// we fail this server if it doesn't start sending the response
// header
MgmtInt connect_timeout;
// SKH Only t_state.method == HTTP_WKSIDX_CONNECT should get here, so this first case doesn't make any sense
// SKH In any case, the connect timeout is only passed into the connect_s code for the method=CONNECT case
if (t_state.method == HTTP_WKSIDX_POST || t_state.method == HTTP_WKSIDX_PUT) {
connect_timeout = t_state.txn_conf->post_connect_attempts_timeout;
} else if (t_state.current.server == &t_state.parent_info) {
connect_timeout = t_state.http_config_param->parent_connect_timeout;
} else {
if (t_state.pCongestionEntry != NULL)
connect_timeout = t_state.pCongestionEntry->connect_timeout();
else
connect_timeout = t_state.txn_conf->connect_attempts_timeout;
}
DebugSM("http", "calling netProcessor.connect_s");
connect_action_handle = netProcessor.connect_s(this, // state machine
&t_state.current.server->addr.sa, // addr + port
connect_timeout, &opt);
}
}
> SSL origin connections do not support connection timeouts
> ---------------------------------------------------------
>
> Key: TS-1883
> URL: https://issues.apache.org/jira/browse/TS-1883
> Project: Traffic Server
> Issue Type: Bug
> Components: Core, SSL
> Reporter: James Peach
> Assignee: Susan Hinrichs
> Fix For: 5.3.0
>
>
> In {{proxy/http/HttpSM.cc}}, we can see that origin connections do not support timeouts if the scheme is HTTPS:
> {code}
> void
> HttpSM::do_http_server_open(bool raw)
> {
> ...
> if (t_state.scheme == URL_WKSIDX_HTTPS) {
> DebugSM("http", "calling sslNetProcessor.connect_re");
> connect_action_handle = sslNetProcessor.connect_re(this, // state machine
> &t_state.current.server->addr.sa, // addr + port
> &opt);
> } else {
> ...
> // Setup the timeouts
> // Set the inactivity timeout to the connect timeout so that we
> // we fail this server if it doesn't start sending the response
> // header
> MgmtInt connect_timeout;
> if (t_state.method == HTTP_WKSIDX_POST || t_state.method == HTTP_WKSIDX_PUT) {
> connect_timeout = t_state.txn_conf->post_connect_attempts_timeout;
> } else if (t_state.current.server == &t_state.parent_info) {
> connect_timeout = t_state.http_config_param->parent_connect_timeout;
> } else {
> if (t_state.pCongestionEntry != NULL)
> connect_timeout = t_state.pCongestionEntry->connect_timeout();
> else
> connect_timeout = t_state.txn_conf->connect_attempts_timeout;
> }
> DebugSM("http", "calling netProcessor.connect_s");
> connect_action_handle = netProcessor.connect_s(this, // state machine
> &t_state.current.server->addr.sa, // addr + port
> connect_timeout, &opt);
> ...
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)