Jump to content
merijnb

any way to limit time for SSL authentication

Recommended Posts

Hi all,

 

Say I have a socket server running, which uses SSL, now if a client connects, but does not send any data, it will take really long before SSL authentication fails, all this time the socket remains open.

We can work around this by starting a timer when a socket connects, and if we don't have a successful SSL authentication before the timer goes we can close the connection, but is there any way to set such a timeout in ICS / OpenSSL self?
The only thing I've found with regards to this in OpenSSL seems to be about how long a session stays valid, but not anything with regards to how long a client may take to SSL authenticate.

Share this post


Link to post

The low level socket server does not include any timers, but the higher level HTTP and FTP server component do include various timeouts.  TWSocket itself includes a TWSocketCounter class which descendents can check periodically with a timer to close idle connections, depending on activity.

 

For HTTP, the procedure HeartBeatOnTimer checks whether a request is being processed and disconnects according for KeepAliveTimeSec or KeepAliveTimeXferSec.  You could add something similar including checking whether SSL has been negotiated. 

 

If you are concerned about hacking attempts, I find it's actually better to leave connections open for a long time, doing nothing, which stops the remote robot doing anything else with that connection, close it immediately and it moves on to the next attack attempt.  

 

The OverbyteIcsSslMultiWebServ sample includes various hacking tests, and sends a response after a one minute delay.  One test I added to my public web server is any access by IP address instead of host name, immediately onto the hackers list.

 

This is also in a new sample I added yesterday, OverbyteIcsDDWebService, which is similar to OverbyteIcsSslMultiWebServ but runs as a real Windows service or a GUI for debugging). and includes a new database REST server sample. 

 

Angus

 

 

 

  • Like 1

Share this post


Link to post
Posted (edited)

Don't server's sockets inherit from TCustomTimeoutWSocket which has IdleTimeout that seem to do what OP needs? (never tried ICS-powered TLS server so just supposing theoretically)

Edited by Fr0sT.Brutal

Share this post


Link to post

TCustomTimeoutWSocket is only built if BUILTIN_TIMEOUT is defined, although that has been the default for a few years. 

 

Server client sockets do descent from that class, and the timeout settings could be set in code when the client is created.  But you would then have one ICS thread timer per client, rather than a single timer monitoring all clients as happens with the high level servers. 

 

Angus

 

Share this post


Link to post

As for me, BUILTIN_TIMEOUT is MUCH more reasonable as default than USE_SSL xD

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×