From 45a69274af4f025099046010cb885f15f4129f14 Mon Sep 17 00:00:00 2001 From: Mahmoud Mazouz Date: Fri, 4 Oct 2024 15:57:49 +0000 Subject: [PATCH 1/3] Add timeout for TLS handshakes --- io/zenoh-links/zenoh-link-tls/src/lib.rs | 2 ++ io/zenoh-links/zenoh-link-tls/src/unicast.rs | 16 +++++++++++++--- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/io/zenoh-links/zenoh-link-tls/src/lib.rs b/io/zenoh-links/zenoh-link-tls/src/lib.rs index 2a18e3b5b3..d1b8a6b27d 100644 --- a/io/zenoh-links/zenoh-link-tls/src/lib.rs +++ b/io/zenoh-links/zenoh-link-tls/src/lib.rs @@ -81,6 +81,8 @@ zconfigurable! { // Amount of time in microseconds to throttle the accept loop upon an error. // Default set to 100 ms. static ref TLS_ACCEPT_THROTTLE_TIME: u64 = 100_000; + /// The time duration in milliseconds to wait for the TLS handshake to complete. + static ref TLS_HANDSHAKE_TIMEOUT_MS: u64 = 10_000; } pub mod config { diff --git a/io/zenoh-links/zenoh-link-tls/src/unicast.rs b/io/zenoh-links/zenoh-link-tls/src/unicast.rs index 5a29ab29c0..4dffc5d0c7 100644 --- a/io/zenoh-links/zenoh-link-tls/src/unicast.rs +++ b/io/zenoh-links/zenoh-link-tls/src/unicast.rs @@ -35,7 +35,8 @@ use zenoh_result::{zerror, ZResult}; use crate::{ utils::{get_tls_addr, get_tls_host, get_tls_server_name, TlsClientConfig, TlsServerConfig}, - TLS_ACCEPT_THROTTLE_TIME, TLS_DEFAULT_MTU, TLS_LINGER_TIMEOUT, TLS_LOCATOR_PREFIX, + TLS_ACCEPT_THROTTLE_TIME, TLS_DEFAULT_MTU, TLS_HANDSHAKE_TIMEOUT_MS, TLS_LINGER_TIMEOUT, + TLS_LOCATOR_PREFIX, }; #[derive(Default, Debug, PartialEq, Eq, Hash)] @@ -436,9 +437,18 @@ async fn accept_task( }; // Accept the TLS connection - let tls_stream = match acceptor.accept(tcp_stream).await { - Ok(stream) => TlsStream::Server(stream), + let tls_stream = match tokio::time::timeout( + dbg!(Duration::from_millis(*TLS_HANDSHAKE_TIMEOUT_MS)), + acceptor.accept(tcp_stream), + ) + .await + { + Ok(Ok(stream)) => TlsStream::Server(stream), Err(e) => { + tracing::warn!("TLS handshake timed out: {e}"); + continue; + } + Ok(Err(e)) => { let e = format!("Can not accept TLS connection: {e}"); tracing::warn!("{}", e); continue; From 7ea8f051e1b888ba7f05fa4cbd61e75da2cb2b8f Mon Sep 17 00:00:00 2001 From: Mahmoud Mazouz Date: Mon, 7 Oct 2024 07:40:40 +0000 Subject: [PATCH 2/3] =?UTF-8?q?Remove=20`dbg!`=20(quand=20m=C3=AAme)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- io/zenoh-links/zenoh-link-tls/src/unicast.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/io/zenoh-links/zenoh-link-tls/src/unicast.rs b/io/zenoh-links/zenoh-link-tls/src/unicast.rs index 4dffc5d0c7..49886843fe 100644 --- a/io/zenoh-links/zenoh-link-tls/src/unicast.rs +++ b/io/zenoh-links/zenoh-link-tls/src/unicast.rs @@ -438,7 +438,7 @@ async fn accept_task( // Accept the TLS connection let tls_stream = match tokio::time::timeout( - dbg!(Duration::from_millis(*TLS_HANDSHAKE_TIMEOUT_MS)), + Duration::from_millis(*TLS_HANDSHAKE_TIMEOUT_MS), acceptor.accept(tcp_stream), ) .await From d5abf44e1bd27a37df725f0f74279190e9d01128 Mon Sep 17 00:00:00 2001 From: Mahmoud Mazouz Date: Mon, 7 Oct 2024 11:20:38 +0000 Subject: [PATCH 3/3] Add `tls_handshake_timeout_ms` endpoint config option --- io/zenoh-links/zenoh-link-tls/src/lib.rs | 6 ++++-- io/zenoh-links/zenoh-link-tls/src/unicast.rs | 17 +++++++++++---- io/zenoh-links/zenoh-link-tls/src/utils.rs | 22 ++++++++++++++++---- 3 files changed, 35 insertions(+), 10 deletions(-) diff --git a/io/zenoh-links/zenoh-link-tls/src/lib.rs b/io/zenoh-links/zenoh-link-tls/src/lib.rs index d1b8a6b27d..a547c5d77f 100644 --- a/io/zenoh-links/zenoh-link-tls/src/lib.rs +++ b/io/zenoh-links/zenoh-link-tls/src/lib.rs @@ -81,8 +81,6 @@ zconfigurable! { // Amount of time in microseconds to throttle the accept loop upon an error. // Default set to 100 ms. static ref TLS_ACCEPT_THROTTLE_TIME: u64 = 100_000; - /// The time duration in milliseconds to wait for the TLS handshake to complete. - static ref TLS_HANDSHAKE_TIMEOUT_MS: u64 = 10_000; } pub mod config { @@ -110,4 +108,8 @@ pub mod config { pub const TLS_VERIFY_NAME_ON_CONNECT: &str = "verify_name_on_connect"; pub const TLS_VERIFY_NAME_ON_CONNECT_DEFAULT: bool = true; + + /// The time duration in milliseconds to wait for the TLS handshake to complete. + pub const TLS_HANDSHAKE_TIMEOUT_MS: &str = "tls_handshake_timeout_ms"; + pub const TLS_HANDSHAKE_TIMEOUT_MS_DEFAULT: u64 = 10_000; } diff --git a/io/zenoh-links/zenoh-link-tls/src/unicast.rs b/io/zenoh-links/zenoh-link-tls/src/unicast.rs index 49886843fe..60eb47b323 100644 --- a/io/zenoh-links/zenoh-link-tls/src/unicast.rs +++ b/io/zenoh-links/zenoh-link-tls/src/unicast.rs @@ -35,8 +35,7 @@ use zenoh_result::{zerror, ZResult}; use crate::{ utils::{get_tls_addr, get_tls_host, get_tls_server_name, TlsClientConfig, TlsServerConfig}, - TLS_ACCEPT_THROTTLE_TIME, TLS_DEFAULT_MTU, TLS_HANDSHAKE_TIMEOUT_MS, TLS_LINGER_TIMEOUT, - TLS_LOCATOR_PREFIX, + TLS_ACCEPT_THROTTLE_TIME, TLS_DEFAULT_MTU, TLS_LINGER_TIMEOUT, TLS_LOCATOR_PREFIX, }; #[derive(Default, Debug, PartialEq, Eq, Hash)] @@ -370,7 +369,16 @@ impl LinkManagerUnicastTrait for LinkManagerUnicastTls { let token = token.clone(); let manager = self.manager.clone(); - async move { accept_task(socket, acceptor, token, manager).await } + async move { + accept_task( + socket, + acceptor, + token, + manager, + tls_server_config.tls_handshake_timeout, + ) + .await + } }; // Update the endpoint locator address @@ -407,6 +415,7 @@ async fn accept_task( acceptor: TlsAcceptor, token: CancellationToken, manager: NewLinkChannelSender, + tls_handshake_timeout: Duration, ) -> ZResult<()> { async fn accept(socket: &TcpListener) -> ZResult<(TcpStream, SocketAddr)> { let res = socket.accept().await.map_err(|e| zerror!(e))?; @@ -438,7 +447,7 @@ async fn accept_task( // Accept the TLS connection let tls_stream = match tokio::time::timeout( - Duration::from_millis(*TLS_HANDSHAKE_TIMEOUT_MS), + tls_handshake_timeout, acceptor.accept(tcp_stream), ) .await diff --git a/io/zenoh-links/zenoh-link-tls/src/utils.rs b/io/zenoh-links/zenoh-link-tls/src/utils.rs index 2894bcf337..b6e2c69578 100644 --- a/io/zenoh-links/zenoh-link-tls/src/utils.rs +++ b/io/zenoh-links/zenoh-link-tls/src/utils.rs @@ -14,10 +14,11 @@ use std::{ convert::TryFrom, fs::File, - io, - io::{BufReader, Cursor}, + io::{self, BufReader, Cursor}, net::SocketAddr, + str::FromStr, sync::Arc, + time::Duration, }; use rustls::{ @@ -37,7 +38,7 @@ use zenoh_protocol::core::{ }; use zenoh_result::{bail, zerror, ZError, ZResult}; -use crate::config::*; +use crate::config::{self, *}; #[derive(Default, Clone, Copy, Debug)] pub struct TlsConfigurator; @@ -149,6 +150,7 @@ impl ConfigurationInspector for TlsConfigurator { pub(crate) struct TlsServerConfig { pub(crate) server_config: ServerConfig, + pub(crate) tls_handshake_timeout: Duration, } impl TlsServerConfig { @@ -217,7 +219,19 @@ impl TlsServerConfig { .with_single_cert(certs, keys.remove(0)) .map_err(|e| zerror!(e))? }; - Ok(TlsServerConfig { server_config: sc }) + + let tls_handshake_timeout = Duration::from_millis( + config + .get(config::TLS_HANDSHAKE_TIMEOUT_MS) + .map(u64::from_str) + .transpose()? + .unwrap_or(config::TLS_HANDSHAKE_TIMEOUT_MS_DEFAULT), + ); + + Ok(TlsServerConfig { + server_config: sc, + tls_handshake_timeout, + }) } async fn load_tls_private_key(config: &Config<'_>) -> ZResult> {