From f7e676abdc799fcee5138807447b5e91ab05508f Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Mon, 7 Dec 2020 12:53:54 +0000 Subject: Change -K semantics: timeout *during handshake*, not afterwards - the TLS tunnel itself should be transparent so it has no business shutting down the connection no matter how long the app takes - there's still an undetectable situation on some kernels where EOF doesn't get transmitted from the network, and the engine is in the handshake, and it can't do anything but wait forever. A timeout is useful here: dawg, your peer is never going to send any more data, you should just give up. - if the situation happens after the handshake, the *app* should have a timeout and die. The tunnel will follow suit. - libtls has a blocking tls_handshake() blackbox, we cannot give it a timeout. Too bad, use bearssl. --- doc/s6-tlsd-io.html | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'doc/s6-tlsd-io.html') diff --git a/doc/s6-tlsd-io.html b/doc/s6-tlsd-io.html index 6aad7dc..00f7cd4 100644 --- a/doc/s6-tlsd-io.html +++ b/doc/s6-tlsd-io.html @@ -190,10 +190,12 @@ and break the connection when receiving a local EOF. connection without using close_notify. This is the default.
  • -Y : Do not send a client certificate. This is the default.
  • -y : Send a client certificate.
  • -
  • -K kimeout : close the connection -if kimeout milliseconds elapse without any data being -received from either side. The default is 0, which means -infinite timeout (never kill the connection).
  • +
  • -K kimeout : if the peer fails +to send data for kimeout milliseconds during the handshake, +close the connection. The default is 0, which means infinite timeout +(never kill the connection). This option is ignored by the +libtls backend, which does not have a way to interrupt +the handshake after a timeout.
  • -d notif : handshake notification. notif must be a file descriptor open for writing. When the TLS handshake has completed, some data (terminated by two null -- cgit v1.2.3