Problems? Is your data what you think it is? | |
PerlMonks |
Clients glomming onto an SSL listenerby mungohill (Acolyte) |
on May 09, 2011 at 14:25 UTC ( [id://903771]=perlquestion: print w/replies, xml ) | Need Help?? |
mungohill has asked for the wisdom of the Perl Monks concerning the following question: Greetings Esteemed Monks I haven't been near the monastery for a couple of years because either stuff has been working or I can figure out what is wrong with my feeble powers, but this one's got me beat. As I seem to have stunned the monks into silence with this one, I've also posted a similar query to openssl-users@openssl.org, especially as it does seem more of an openssl control problem. I'll let you know if I get anything from that direction I've had some useful response from the SSL community along the lines that I should expect this problem if I have a single-threaded listener. Also some very sensible recommendations about what to do. Basically it's a really bad idea to use the accept method of IO::Socket::SSL as, unless you have really trivial traffic levels, you will get SSL handshake collisions that completely take your service out. Better to do a basic tcp accept on the socket, and on return, fork, (and in my case do the tcpwrap checks) then invoke start_SSL, passing it the tcp socket which gets blessed to an IO::Socket::SSL socket if the handshake succeeds. All handshake is then done in separate processes. Seems to work so far. I have a service that presents a very simple SSL listener which, when it is hit, identifies the connecting node from its certificate/peer address and just splurges some xml at them containing data from some files in the queue directory that contains their data. All the client does is to open a socket and start reading. This works, but it is unpleasantly susceptible to problems which I believe are caused by clients with bad internet connections (the pathology suggests this). It seems that something unpleasant occurs in the SSL handshake process which causes the socket to hang indefinitely. Nobody else can connect when this has happened. I currently have a very crude monitor program that checks the activity log of the main service and, if things go suspiciously quiet it bludgeons it into compliance by restarting the listener service. I also logs the result of a filtered run of 'netstat' which shows who was involved with the problem. Some hosts feature a lot more regularly, which leads me to believe is it some net environment problem. But that's all a distraction. The fact is that the service shouldn't be susceptible to the vagaries of what stupid clients or bad networks do. I *do* get quite a lot of action on my SSL_error_trap routine. These errors log nicely and don't cause a hang and don't seem to coincide with any hangs. Pretty much immediately after the accept the program forks a handler, but the rogue clients must be glomming onto the main process before the SSL negotiation is complete. I can't help thinking that I should be able to tell SSL to have some sensible (fairly aggressive) timeouts on connections that fail an SSL handshake. Is this possible? Does it sound like I'm even identifying the problem correctly? --I'm wondering if I might get more control using non-blocking but I can't figure out if that's just a Windows thing Perl version v5.8.8 program has:
Back to
Seekers of Perl Wisdom
|
|