You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by su...@apache.org on 2015/06/30 17:29:11 UTC

trafficserver git commit: [TS-3727]: Add a timer for SSL server handshake duration.

Repository: trafficserver
Updated Branches:
  refs/heads/master 65fa4ec51 -> 9a1b0fcf0


[TS-3727]: Add a timer for SSL server handshake duration.


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/9a1b0fcf
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/9a1b0fcf
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/9a1b0fcf

Branch: refs/heads/master
Commit: 9a1b0fcf098ff104dd375f99ad650a4e426f56fd
Parents: 65fa4ec
Author: Sudheer Vinukonda <su...@yahoo-inc.com>
Authored: Tue Jun 30 15:28:35 2015 +0000
Committer: Sudheer Vinukonda <su...@yahoo-inc.com>
Committed: Tue Jun 30 15:28:35 2015 +0000

----------------------------------------------------------------------
 iocore/net/P_SSLConfig.h            |  1 +
 iocore/net/SSLConfig.cc             |  3 +++
 iocore/net/SSLNetVConnection.cc     | 16 ++++++++++++++++
 iocore/net/SSLNextProtocolAccept.cc |  1 -
 mgmt/RecordsConfig.cc               |  2 ++
 5 files changed, 22 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/9a1b0fcf/iocore/net/P_SSLConfig.h
----------------------------------------------------------------------
diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h
index 68dd50f..1a6cd60 100644
--- a/iocore/net/P_SSLConfig.h
+++ b/iocore/net/P_SSLConfig.h
@@ -92,6 +92,7 @@ struct SSLConfigParams : public ConfigInfo {
   static int ssl_ocsp_cache_timeout;
   static int ssl_ocsp_request_timeout;
   static int ssl_ocsp_update_period;
+  static int ssl_handshake_timeout_in;
 
   static size_t session_cache_number_buckets;
   static size_t session_cache_max_bucket_size;

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/9a1b0fcf/iocore/net/SSLConfig.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index 8e7766d..0690655 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -48,6 +48,7 @@ bool SSLConfigParams::ssl_ocsp_enabled = false;
 int SSLConfigParams::ssl_ocsp_cache_timeout = 3600;
 int SSLConfigParams::ssl_ocsp_request_timeout = 10;
 int SSLConfigParams::ssl_ocsp_update_period = 60;
+int SSLConfigParams::ssl_handshake_timeout_in = 0;
 size_t SSLConfigParams::session_cache_number_buckets = 1024;
 bool SSLConfigParams::session_cache_skip_on_lock_contention = false;
 size_t SSLConfigParams::session_cache_max_bucket_size = 100;
@@ -269,6 +270,8 @@ SSLConfigParams::initialize()
   REC_EstablishStaticConfigInt32(ssl_ocsp_request_timeout, "proxy.config.ssl.ocsp.request_timeout");
   REC_EstablishStaticConfigInt32(ssl_ocsp_update_period, "proxy.config.ssl.ocsp.update_period");
 
+  REC_ReadConfigInt32(ssl_handshake_timeout_in, "proxy.config.ssl.handshake_timeout_in");
+
   // ++++++++++++++++++++++++ Client part ++++++++++++++++++++
   client_verify_depth = 7;
   REC_ReadConfigInt32(clientVerify, "proxy.config.ssl.client.verify.server");

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/9a1b0fcf/iocore/net/SSLNetVConnection.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index 60061fd..f9092db 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -465,6 +465,17 @@ SSLNetVConnection::net_read_io(NetHandler *nh, EThread *lthread)
       this->read.triggered = 0;
       readSignalError(nh, err);
     } else if (ret == SSL_HANDSHAKE_WANT_READ || ret == SSL_HANDSHAKE_WANT_ACCEPT) {
+      if (SSLConfigParams::ssl_handshake_timeout_in > 0) {
+        double handshake_time = ((ink_get_hrtime_internal() - sslHandshakeBeginTime)/1000000000);
+        Debug ("ssl", "ssl handshake for vc %p, took %.3f seconds, configured handshake_timer: %d", this, handshake_time, SSLConfigParams::ssl_handshake_timeout_in);
+        if (handshake_time > SSLConfigParams::ssl_handshake_timeout_in) {
+          Debug ("ssl", "ssl handshake for vc %p, expired, release the connection", this);
+          read.triggered = 0;
+          nh->read_ready_list.remove(this);
+          readSignalError(nh, VC_EVENT_EOS);
+          return;
+        }
+      }
       read.triggered = 0;
       nh->read_ready_list.remove(this);
       readReschedule(nh);
@@ -839,6 +850,11 @@ SSLNetVConnection::free(EThread *t)
 int
 SSLNetVConnection::sslStartHandShake(int event, int &err)
 {
+  if (sslHandshakeBeginTime == 0) {
+    sslHandshakeBeginTime = ink_get_hrtime_internal();
+    // net_activity will not be triggered until after the handshake
+    set_inactivity_timeout(HRTIME_SECONDS(SSLConfigParams::ssl_handshake_timeout_in));
+  }
   switch (event) {
   case SSL_EVENT_SERVER:
     if (this->ssl == NULL) {

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/9a1b0fcf/iocore/net/SSLNextProtocolAccept.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLNextProtocolAccept.cc b/iocore/net/SSLNextProtocolAccept.cc
index 6399e1d..08b5920 100644
--- a/iocore/net/SSLNextProtocolAccept.cc
+++ b/iocore/net/SSLNextProtocolAccept.cc
@@ -117,7 +117,6 @@ SSLNextProtocolAccept::mainEvent(int event, void *edata)
 {
   SSLNetVConnection *netvc = ssl_netvc_cast(event, edata);
 
-  netvc->sslHandshakeBeginTime = Thread::get_hrtime();
   Debug("ssl", "[SSLNextProtocolAccept:mainEvent] event %d netvc %p", event, netvc);
 
   switch (event) {

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/9a1b0fcf/mgmt/RecordsConfig.cc
----------------------------------------------------------------------
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index 0f9d8c8..b6a0922 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1282,6 +1282,8 @@ static const RecordElement RecordsConfig[] =
   ,
   {RECT_CONFIG, "proxy.config.ssl.server.dhparams_file", RECD_STRING, NULL, RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL}
   ,
+  {RECT_CONFIG, "proxy.config.ssl.handshake_timeout_in", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-65535]", RECA_NULL}
+  ,
   //##############################################################################
   //#
   //# OCSP (Online Certificate Status Protocol) Stapling Configuration