merijnb 4 Posted June 10, 2021 Hi all, Say I have a socket server running, which uses SSL, now if a client connects, but does not send any data, it will take really long before SSL authentication fails, all this time the socket remains open. We can work around this by starting a timer when a socket connects, and if we don't have a successful SSL authentication before the timer goes we can close the connection, but is there any way to set such a timeout in ICS / OpenSSL self? The only thing I've found with regards to this in OpenSSL seems to be about how long a session stays valid, but not anything with regards to how long a client may take to SSL authenticate. Share this post Link to post
Angus Robertson 577 Posted June 10, 2021 The low level socket server does not include any timers, but the higher level HTTP and FTP server component do include various timeouts. TWSocket itself includes a TWSocketCounter class which descendents can check periodically with a timer to close idle connections, depending on activity. For HTTP, the procedure HeartBeatOnTimer checks whether a request is being processed and disconnects according for KeepAliveTimeSec or KeepAliveTimeXferSec. You could add something similar including checking whether SSL has been negotiated. If you are concerned about hacking attempts, I find it's actually better to leave connections open for a long time, doing nothing, which stops the remote robot doing anything else with that connection, close it immediately and it moves on to the next attack attempt. The OverbyteIcsSslMultiWebServ sample includes various hacking tests, and sends a response after a one minute delay. One test I added to my public web server is any access by IP address instead of host name, immediately onto the hackers list. This is also in a new sample I added yesterday, OverbyteIcsDDWebService, which is similar to OverbyteIcsSslMultiWebServ but runs as a real Windows service or a GUI for debugging). and includes a new database REST server sample. Angus 1 Share this post Link to post
Fr0sT.Brutal 900 Posted June 28, 2021 (edited) Don't server's sockets inherit from TCustomTimeoutWSocket which has IdleTimeout that seem to do what OP needs? (never tried ICS-powered TLS server so just supposing theoretically) Edited June 28, 2021 by Fr0sT.Brutal Share this post Link to post
Angus Robertson 577 Posted June 28, 2021 TCustomTimeoutWSocket is only built if BUILTIN_TIMEOUT is defined, although that has been the default for a few years. Server client sockets do descent from that class, and the timeout settings could be set in code when the client is created. But you would then have one ICS thread timer per client, rather than a single timer monitoring all clients as happens with the high level servers. Angus Share this post Link to post
Fr0sT.Brutal 900 Posted June 28, 2021 As for me, BUILTIN_TIMEOUT is MUCH more reasonable as default than USE_SSL xD Share this post Link to post