On 28/06/2014 3:38 a.m., Tsantilas Christos wrote: > Hi all, > > Currently FwdState::negotiateSSL() operates on a TCP connection without > a timeout. If, for example, the server never responds to Squid SSL > Hello, the connection getstuck forever. This happens in real world when, > for example, a client is trying to establish an SSL connection through > bumping Squid to an HTTP server that does not speak SSL and does not > detect initial request garbage (from HTTP point of view) > > Moreover, if the client closes the connection while Squid is fruitlessly > waiting for server SSL negotiation, the client connection will get into > the CLOSE_WAIT state with a 1 day client_lifetime timeout. This patch > does not address that CLOSE_WAIT problem directly. > > This patch adds an SSL negotiation timeout for the server SSL connection > and try to not exceed forword_timeout or peer_timeout while connecting > to an SSL server. > > Some notes: > - In this patch still the timeouts used for Ssl::PeerConnector are not > accurate, they may be 5 secs more then the forward timeout or 1 second > more than peer_connect timeout, but I think are enough reasonable. > > - Please check and comment the new > Comm::Connection::startTime()/::noteStart() mechanism. > Now the Comm::Connection::startTime_ computed in Comm::Connection > constructor and resets in Comm::ConnOpener::start() and > Comm::TcpAcceptor::start() > > > This is a Measurement Factory project.
+1. Please apply ASAP. Amos