-
-
Notifications
You must be signed in to change notification settings - Fork 605
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS connections that timeout during handshake will leak #3915
Comments
Note: It's also appealing to put a select inside the goroutine like so: go func() {
select {
case <-ctx.Done():
return
case errChan <- conn.Handshake():
return
}
} However, this only allows us to reap this one goroutine early in the case of a timeout; there will still be goroutines in By setting a deadline on the TCP connection, we ensure that We could even consider getting rid of the goroutine, and just putting the |
Previously, if a TLS handshake timed out, we would block forever in `conn.Handshake()`, leaking both a TCP connection and a goroutine. This sets a deadline on the underlying TCP connection, ensuring that `conn.Handshake()` eventually times out. Fixes #3915
In the VA, we create our own TCP connection, then ask the
crypto/tls
package to do a handshake over it:boulder/va/va.go
Lines 659 to 663 in 3bb0657
The
conn.Handshake()
method doesn't take any contexts or timeouts, so if the TLS server fails to respond to any handshake messages (as we often see), this goroutine will block forever. We'll also leak a TCP connection that will never be cleaned up.One possible workaround: after successfully dialing the TCP connection, call
conn.SetReadDeadline(...)
to set a read deadline that matches the context deadline.The text was updated successfully, but these errors were encountered: