You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2016/08/15 21:08:20 UTC
[jira] [Comment Edited] (TS-1883) SSL origin connections do not
support connection timeouts
[ https://issues.apache.org/jira/browse/TS-1883?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14216557#comment-14216557 ]
Leif Hedstrom edited comment on TS-1883 at 8/15/16 9:07 PM:
------------------------------------------------------------
Actually, if we look at the do_http_server_open() code in 5.x more closely, we see that only the CONNECT method will set up the timeouts here. See the code snippet below with some extra SKH comments.
It appears for the other methods, attach_server_session() sets up an inactivity timeout to enforce the connect timeout. This appears to hold for both http and https (if we are proxying the https). Verified by examining the code and setting break points while passing through requests.
I'm guessing that this code has evolved since it was reported in 3.x, and was fixed along the way.
In the non-proxy case, the SSL logic does not go through any of this. But I am assuming that this bug is concerning itself only with the proxied SSL connections.
{code}
if (scheme_to_use == URL_WKSIDX_HTTPS) {
DebugSM("http", "calling sslNetProcessor.connect_re");
int len = 0;
const char * host = t_state.hdr_info.server_request.host_get(&len);
opt.set_sni_servername(host, len);
connect_action_handle = sslNetProcessor.connect_re(this, // state machine
&t_state.current.server->addr.sa, // addr + port
&opt);
} else {
// SKH - If I'm anything other than a connect method, go ahead and set up the connections
if (t_state.method != HTTP_WKSIDX_CONNECT) {
DebugSM("http", "calling netProcessor.connect_re");
connect_action_handle = netProcessor.connect_re(this, // state machine
&t_state.current.server->addr.sa, // addr + port
&opt);
} else {
// Setup the timeouts
// Set the inactivity timeout to the connect timeout so that we
// we fail this server if it doesn't start sending the response
// header
MgmtInt connect_timeout;
// SKH Only t_state.method == HTTP_WKSIDX_CONNECT should get here, so this first case doesn't make any sense
// SKH In any case, the connect timeout is only passed into the connect_s code for the method=CONNECT case
if (t_state.method == HTTP_WKSIDX_POST || t_state.method == HTTP_WKSIDX_PUT) {
connect_timeout = t_state.txn_conf->post_connect_attempts_timeout;
} else if (t_state.current.server == &t_state.parent_info) {
connect_timeout = t_state.http_config_param->parent_connect_timeout;
} else {
if (t_state.pCongestionEntry != NULL)
connect_timeout = t_state.pCongestionEntry->connect_timeout();
else
connect_timeout = t_state.txn_conf->connect_attempts_timeout;
}
DebugSM("http", "calling netProcessor.connect_s");
connect_action_handle = netProcessor.connect_s(this, // state machine
&t_state.current.server->addr.sa, // addr + port
connect_timeout, &opt);
}
}
{code}
was (Author: shinrich):
Actually, if we look at the do_http_server_open() code in 5.x more closely, we see that only the CONNECT method will set up the timeouts here. See the code snippet below with some extra SKH comments.
It appears for the other methods, attach_server_session() sets up an inactivity timeout to enforce the connect timeout. This appears to hold for both http and https (if we are proxying the https). Verified by examining the code and setting break points while passing through requests.
I'm guessing that this code has evolved since it was reported in 3.x, and was fixed along the way.
In the non-proxy case, the SSL logic does not go through any of this. But I am assuming that this bug is concerning itself only with the proxied SSL connections.
if (scheme_to_use == URL_WKSIDX_HTTPS) {
DebugSM("http", "calling sslNetProcessor.connect_re");
int len = 0;
const char * host = t_state.hdr_info.server_request.host_get(&len);
opt.set_sni_servername(host, len);
connect_action_handle = sslNetProcessor.connect_re(this, // state machine
&t_state.current.server->addr.sa, // addr + port
&opt);
} else {
// SKH - If I'm anything other than a connect method, go ahead and set up the connections
if (t_state.method != HTTP_WKSIDX_CONNECT) {
DebugSM("http", "calling netProcessor.connect_re");
connect_action_handle = netProcessor.connect_re(this, // state machine
&t_state.current.server->addr.sa, // addr + port
&opt);
} else {
// Setup the timeouts
// Set the inactivity timeout to the connect timeout so that we
// we fail this server if it doesn't start sending the response
// header
MgmtInt connect_timeout;
// SKH Only t_state.method == HTTP_WKSIDX_CONNECT should get here, so this first case doesn't make any sense
// SKH In any case, the connect timeout is only passed into the connect_s code for the method=CONNECT case
if (t_state.method == HTTP_WKSIDX_POST || t_state.method == HTTP_WKSIDX_PUT) {
connect_timeout = t_state.txn_conf->post_connect_attempts_timeout;
} else if (t_state.current.server == &t_state.parent_info) {
connect_timeout = t_state.http_config_param->parent_connect_timeout;
} else {
if (t_state.pCongestionEntry != NULL)
connect_timeout = t_state.pCongestionEntry->connect_timeout();
else
connect_timeout = t_state.txn_conf->connect_attempts_timeout;
}
DebugSM("http", "calling netProcessor.connect_s");
connect_action_handle = netProcessor.connect_s(this, // state machine
&t_state.current.server->addr.sa, // addr + port
connect_timeout, &opt);
}
}
> SSL origin connections do not support connection timeouts
> ---------------------------------------------------------
>
> Key: TS-1883
> URL: https://issues.apache.org/jira/browse/TS-1883
> Project: Traffic Server
> Issue Type: Bug
> Components: Core, SSL
> Reporter: James Peach
> Fix For: 7.0.0
>
>
> In {{proxy/http/HttpSM.cc}}, we can see that origin connections do not support timeouts if the scheme is HTTPS:
> {code}
> void
> HttpSM::do_http_server_open(bool raw)
> {
> ...
> if (t_state.scheme == URL_WKSIDX_HTTPS) {
> DebugSM("http", "calling sslNetProcessor.connect_re");
> connect_action_handle = sslNetProcessor.connect_re(this, // state machine
> &t_state.current.server->addr.sa, // addr + port
> &opt);
> } else {
> ...
> // Setup the timeouts
> // Set the inactivity timeout to the connect timeout so that we
> // we fail this server if it doesn't start sending the response
> // header
> MgmtInt connect_timeout;
> if (t_state.method == HTTP_WKSIDX_POST || t_state.method == HTTP_WKSIDX_PUT) {
> connect_timeout = t_state.txn_conf->post_connect_attempts_timeout;
> } else if (t_state.current.server == &t_state.parent_info) {
> connect_timeout = t_state.http_config_param->parent_connect_timeout;
> } else {
> if (t_state.pCongestionEntry != NULL)
> connect_timeout = t_state.pCongestionEntry->connect_timeout();
> else
> connect_timeout = t_state.txn_conf->connect_attempts_timeout;
> }
> DebugSM("http", "calling netProcessor.connect_s");
> connect_action_handle = netProcessor.connect_s(this, // state machine
> &t_state.current.server->addr.sa, // addr + port
> connect_timeout, &opt);
> ...
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)