From f7e676abdc799fcee5138807447b5e91ab05508f Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Mon, 7 Dec 2020 12:53:54 +0000 Subject: Change -K semantics: timeout *during handshake*, not afterwards - the TLS tunnel itself should be transparent so it has no business shutting down the connection no matter how long the app takes - there's still an undetectable situation on some kernels where EOF doesn't get transmitted from the network, and the engine is in the handshake, and it can't do anything but wait forever. A timeout is useful here: dawg, your peer is never going to send any more data, you should just give up. - if the situation happens after the handshake, the *app* should have a timeout and die. The tunnel will follow suit. - libtls has a blocking tls_handshake() blackbox, we cannot give it a timeout. Too bad, use bearssl. --- doc/s6-tlsd.html | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'doc/s6-tlsd.html') diff --git a/doc/s6-tlsd.html b/doc/s6-tlsd.html index beeedda..579c63c 100644 --- a/doc/s6-tlsd.html +++ b/doc/s6-tlsd.html @@ -129,10 +129,12 @@ connection without using close_notify. This is the default.
  • -y : Require a mandatory client certificate. The default, with neither the -Y nor the -y option, is not to require a client certificate at all.
  • -
  • -K kimeout : close the connection -if kimeout milliseconds elapse without any data being -received from either side. The default is 0, which means -infinite timeout (never kill the connection).
  • +
  • -K kimeout : if the peer fails +to send data for kimeout milliseconds during the handshake, +close the connection. The default is 0, which means infinite timeout +(never kill the connection). This option is ignored by the +libtls backend, which does not have a way to interrupt +the handshake after a timeout.
  • Notes

    -- cgit v1.3.1