merge revision(s) 60172,60189,60208,60210,60211: [Backport #14005]

webrick: do not hang acceptor on slow TLS connections OpenSSL::SSL::SSLSocket#accept may block indefinitely on clients which negotiate the TCP connection, but fail (or are slow) to negotiate the subsequent TLS handshake. This prevents the multi-threaded WEBrick server from accepting other connections. Since the TLS handshake (via OpenSSL::SSL::SSLSocket#accept) consists of normal read/write traffic over TCP, handle it in the per-client thread, instead. Furthermore, using non-blocking accept() is useful for non-TLS sockets anyways because spurious wakeups are possible from select(2). * lib/webrick/server.rb (accept_client): use TCPServer#accept_nonblock and remove OpenSSL::SSL::SSLSocket#accept call * lib/webrick/server.rb (start_thread): call OpenSSL::SSL::SSLSocket#accept * test/webrick/test_ssl_server.rb (test_slow_connect): new test [ruby-core:83221] [Bug #14005] webrick: fix up r60172 By making the socket non-blocking in r60172, TLS/SSL negotiation via the SSL_accept function must handle non-blocking sockets properly and retry on SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE. OpenSSL::SSL::SSLSocket#accept cannot do that properly with a non-blocking socket, so it must use non-blocking logic of OpenSSL::SSL::SSLSocket#accept_nonblock. Thanks to MSP-Greg (Greg L) for finding this. * lib/webrick/server.rb (start_thread): use SSL_accept properly with non-blocking socket. [Bug #14013] [Bug #14005] webrick: fix up r60172 and revert r60189 Thanks to MSP-Greg (Greg L) for helping with this. * lib/webrick/server.rb (start_thread): ignore ECONNRESET, ECONNABORTED, EPROTO, and EINVAL on TLS negotiation errors the same way they were ignored before r60172 in the accept_client method of the main acceptor thread. [Bug #14013] [Bug #14005] webrick: fix up r60172 and r60208 Thanks to MSP-Greg (Greg L) for helping with this. * lib/webrick/server.rb (start_thread): fix non-local return introduced in r60208 webrick: fix up r60172 and r60210 Thanks to MSP-Greg (Greg L) for helping with this. * lib/webrick/server.rb (start_thread): properly fix non-local return introduced in r60208 and r60210 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@61240 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
author: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2017-12-14 13:33:54 +0000
committer: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2017-12-14 13:33:54 +0000
commit: 1beda2970b1c17daf34c15a1ee1c551b29080bdd (patch)
tree: f70ee9046d3c08ca5a7b2923b139ac3b2757b0b5 /ChangeLog
parent: d69b1e3b305a79659f4686f3cffc5c03c18ea832 (diff)
1 files changed, 63 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index 395f11c9f9..af30f685b2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,66 @@
+Thu Dec 14 22:29:04 2017  Eric Wong  <normalperson@yhbt.net>
+
+	webrick: do not hang acceptor on slow TLS connections
+
+	OpenSSL::SSL::SSLSocket#accept may block indefinitely on clients
+	which negotiate the TCP connection, but fail (or are slow) to
+	negotiate the subsequent TLS handshake.  This prevents the
+	multi-threaded WEBrick server from accepting other connections.
+
+	Since the TLS handshake (via OpenSSL::SSL::SSLSocket#accept)
+	consists of normal read/write traffic over TCP, handle it in the
+	per-client thread, instead.
+
+	Furthermore, using non-blocking accept() is useful for non-TLS
+	sockets anyways because spurious wakeups are possible from
+	select(2).
+
+	* lib/webrick/server.rb (accept_client): use TCPServer#accept_nonblock
+	  and remove OpenSSL::SSL::SSLSocket#accept call
+	* lib/webrick/server.rb (start_thread): call OpenSSL::SSL::SSLSocket#acc
+ept
+	* test/webrick/test_ssl_server.rb (test_slow_connect): new test
+	  [ruby-core:83221] [Bug #14005]
+
+	webrick: fix up r60172
+
+	By making the socket non-blocking in r60172, TLS/SSL negotiation
+	via the SSL_accept function must handle non-blocking sockets
+	properly and retry on SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE.
+	OpenSSL::SSL::SSLSocket#accept cannot do that properly with a
+	non-blocking socket, so it must use non-blocking logic of
+	OpenSSL::SSL::SSLSocket#accept_nonblock.
+
+	Thanks to MSP-Greg (Greg L) for finding this.
+
+	* lib/webrick/server.rb (start_thread): use SSL_accept properly
+	  with non-blocking socket.
+	  [Bug #14013] [Bug #14005]
+
+	webrick: fix up r60172 and revert r60189
+
+	Thanks to MSP-Greg (Greg L) for helping with this.
+
+	* lib/webrick/server.rb (start_thread): ignore ECONNRESET, ECONNABORTED,
+	  EPROTO, and EINVAL on TLS negotiation errors the same way they
+	  were ignored before r60172 in the accept_client method of the
+	  main acceptor thread.
+	  [Bug #14013] [Bug #14005]
+
+	webrick: fix up r60172 and r60208
+
+	Thanks to MSP-Greg (Greg L) for helping with this.
+
+	* lib/webrick/server.rb (start_thread): fix non-local return
+	  introduced in r60208
+
+	webrick: fix up r60172 and r60210
+
+	Thanks to MSP-Greg (Greg L) for helping with this.
+
+	* lib/webrick/server.rb (start_thread): properly fix non-local return
+	  introduced in r60208 and r60210
+
 Thu Nov 30 23:37:08 2017  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	parse.y: fix line in rescue
author	usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2017-12-14 13:33:54 +0000
committer	usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2017-12-14 13:33:54 +0000
commit	1beda2970b1c17daf34c15a1ee1c551b29080bdd (patch)
tree	f70ee9046d3c08ca5a7b2923b139ac3b2757b0b5 /ChangeLog
parent	d69b1e3b305a79659f4686f3cffc5c03c18ea832 (diff)