-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS 1.3 connection is unstable in muti-thread env #7979
Comments
Hi, (better) multi-thread support is something which we are currently looking at, although from a brief look its difficult to tell which part is actually failing here. We are hoping to dramatically improve the situation before the release of 4.0 |
Thank you for follow up. |
After some debug, I finally found the type of most error is Lines 1094 to 1104 in 6f37495
This function is used in TLS 1.3 in Then the problem becomes very clear: current PSA key slot does not works well in multi-thread. Side note: after searching |
Link: #3263 |
@Taowyoo as Paul says, we have scheduled this as something we will work on through Q3 and Q4. This is one of the main features we want to have in 3.6 LTS, which we are planning to release around the end of this year (maybe early next year). @paul-elliott-arm and @yanesca are actively working on this. I realise this has been open for some time, which is a shame, but hopefully the above timeline is helpful. Thanks for your debug analysis above - it's helpful to get this kind of info. |
We have now implemented thread safety around the key store which should fix the error detailed in this issue, however although we are doing threaded tests of keys in various different configurations, we are not as yet doing multithreaded tests of the full TLS stack, so I am slightly uncomfortable closing this as there may be other issues present which we have not yet addressed. I therefore leave it up to @Taowyoo to decide what to do with this - obviously if we do close this, new issues can still be raised. |
I am closing this issue because we have fixed the known cause of the problem: since Mbed TLS 3.6.0, the PSA key store is thread-safe. If you find a race condition in TLS code in Mbed TLS ≥3.6, please open a new issue. |
Summary
This error found from our rust-wrapper of
mbedtls
, Ref: fortanix/rust-mbedtls#301TLS 1.3 connection is unstable(sometimes break) in multi-thread env:
System information
Mbed TLS version (number or commit id): 17526a0d168276aa3ba5833cbb1f8fcd69d688ba
Operating system and version:
Linux yuxiangcao-ThinkPad-T14-Gen-1 5.15.0-79-generic #86~20.04.2-Ubuntu SMP Mon Jul 17 23:27:17 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Configuration (if not default, please attach
mbedtls_config.h
):Compiler and options (if you used a pre-built binary, please indicate how you obtained it):
Additional environment information:
Expected behavior
No error for each requests.
Actual behavior
Random error is returned, including:
Steps to reproduce
Set config
Update
./mbedtls-sys/vendor/programs/ssl/ssl_pthread_server.c
with https://gist.github.com/Taowyoo/e2a90ed25bf299500074fdf03e67a050#file-ssl_pthread_server-cBuild and run example, example starts a server with 5 threads and spawn 5 threads of clients to connect it.
In ~70%, the client/server will failed with error.
Additional information
The script above can run successfully with
TLS 1.2
or withTLS 1.3 + one thread
for several time, but forTLS 1.3 + multi-thread
the script failed in most cases.The text was updated successfully, but these errors were encountered: