Skip to content

Commit

Permalink
TLS handshakes should have deadlines too
Browse files Browse the repository at this point in the history
Signed-off-by: Benjamin Leggett <benjamin.leggett@solo.io>
  • Loading branch information
bleggett committed Apr 5, 2024
1 parent 4b15661 commit 424ef01
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 13 deletions.
20 changes: 13 additions & 7 deletions src/proxy/pool.rs
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ impl Connection {
&mut self,
req: Request<Empty<Bytes>>,
) -> impl Future<Output = hyper::Result<Response<Incoming>>> {
self.0 .0.send_request(req)
self.0.0.send_request(req)
}
}

Expand Down Expand Up @@ -143,12 +143,18 @@ impl Pool {
request_sender
}
// Connect won, checkout can just be dropped.
Either::Right((Err(err), checkout)) => match err {
// Connect won but we already had an in-flight connection, so use that.
Error::PoolAlreadyConnecting => checkout.await?,
// Some other connection error
err => return Err(err),
},
Either::Right((Err(err), checkout)) => {
debug!(
?key,
"connect won, but wait for existing pooled connection to establish"
);
match err {
// Connect won but we already had an in-flight connection, so use that.
Error::PoolAlreadyConnecting => checkout.await?,
// Some other connection error
err => return Err(err),
}
}
};

Ok(Connection(request_sender))
Expand Down
19 changes: 13 additions & 6 deletions src/tls/workload.rs
Original file line number Diff line number Diff line change
Expand Up @@ -29,12 +29,16 @@ use std::future::Future;
use std::io;
use std::pin::Pin;
use std::sync::Arc;
use std::time::Duration;

use crate::tls;
use tokio::net::TcpStream;
use tokio::time::timeout;
use tokio_rustls::client;
use tracing::{debug, trace};

const TLS_HANDSHAKE_TIMEOUT: u64 = 10;

#[derive(Clone, Debug)]
pub struct InboundAcceptor<F: ServerCertProvider> {
provider: F,
Expand Down Expand Up @@ -146,12 +150,14 @@ where
let mut acceptor = self.provider.clone();
Box::pin(async move {
let tls = acceptor.fetch_cert(&conn).await?;
tokio_rustls::TlsAcceptor::from(tls)
let tls_accept = tokio_rustls::TlsAcceptor::from(tls)
.accept(conn)
.map_err(TlsError::Handshake)
.await
})
}
.map_err(TlsError::Handshake);
timeout(Duration::from_secs(TLS_HANDSHAKE_TIMEOUT), tls_accept).map_err(move |e| {
TlsError::Handshake(e.into())
}).await?
})
}
}

#[derive(Clone, Debug)]
Expand All @@ -166,7 +172,8 @@ impl OutboundConnector {
) -> Result<client::TlsStream<TcpStream>, io::Error> {
let dest = ServerName::IpAddress(stream.peer_addr().unwrap().ip().into());
let c = tokio_rustls::TlsConnector::from(self.client_config);
c.connect(dest, stream).await

timeout(Duration::from_secs(TLS_HANDSHAKE_TIMEOUT), c.connect(dest, stream)).await?
}
}

Expand Down

0 comments on commit 424ef01

Please sign in to comment.