From d5abf44e1bd27a37df725f0f74279190e9d01128 Mon Sep 17 00:00:00 2001 From: Mahmoud Mazouz Date: Mon, 7 Oct 2024 11:20:38 +0000 Subject: [PATCH] Add `tls_handshake_timeout_ms` endpoint config option --- io/zenoh-links/zenoh-link-tls/src/lib.rs | 6 ++++-- io/zenoh-links/zenoh-link-tls/src/unicast.rs | 17 +++++++++++---- io/zenoh-links/zenoh-link-tls/src/utils.rs | 22 ++++++++++++++++---- 3 files changed, 35 insertions(+), 10 deletions(-) diff --git a/io/zenoh-links/zenoh-link-tls/src/lib.rs b/io/zenoh-links/zenoh-link-tls/src/lib.rs index d1b8a6b27d..a547c5d77f 100644 --- a/io/zenoh-links/zenoh-link-tls/src/lib.rs +++ b/io/zenoh-links/zenoh-link-tls/src/lib.rs @@ -81,8 +81,6 @@ zconfigurable! { // Amount of time in microseconds to throttle the accept loop upon an error. // Default set to 100 ms. static ref TLS_ACCEPT_THROTTLE_TIME: u64 = 100_000; - /// The time duration in milliseconds to wait for the TLS handshake to complete. - static ref TLS_HANDSHAKE_TIMEOUT_MS: u64 = 10_000; } pub mod config { @@ -110,4 +108,8 @@ pub mod config { pub const TLS_VERIFY_NAME_ON_CONNECT: &str = "verify_name_on_connect"; pub const TLS_VERIFY_NAME_ON_CONNECT_DEFAULT: bool = true; + + /// The time duration in milliseconds to wait for the TLS handshake to complete. + pub const TLS_HANDSHAKE_TIMEOUT_MS: &str = "tls_handshake_timeout_ms"; + pub const TLS_HANDSHAKE_TIMEOUT_MS_DEFAULT: u64 = 10_000; } diff --git a/io/zenoh-links/zenoh-link-tls/src/unicast.rs b/io/zenoh-links/zenoh-link-tls/src/unicast.rs index 49886843fe..60eb47b323 100644 --- a/io/zenoh-links/zenoh-link-tls/src/unicast.rs +++ b/io/zenoh-links/zenoh-link-tls/src/unicast.rs @@ -35,8 +35,7 @@ use zenoh_result::{zerror, ZResult}; use crate::{ utils::{get_tls_addr, get_tls_host, get_tls_server_name, TlsClientConfig, TlsServerConfig}, - TLS_ACCEPT_THROTTLE_TIME, TLS_DEFAULT_MTU, TLS_HANDSHAKE_TIMEOUT_MS, TLS_LINGER_TIMEOUT, - TLS_LOCATOR_PREFIX, + TLS_ACCEPT_THROTTLE_TIME, TLS_DEFAULT_MTU, TLS_LINGER_TIMEOUT, TLS_LOCATOR_PREFIX, }; #[derive(Default, Debug, PartialEq, Eq, Hash)] @@ -370,7 +369,16 @@ impl LinkManagerUnicastTrait for LinkManagerUnicastTls { let token = token.clone(); let manager = self.manager.clone(); - async move { accept_task(socket, acceptor, token, manager).await } + async move { + accept_task( + socket, + acceptor, + token, + manager, + tls_server_config.tls_handshake_timeout, + ) + .await + } }; // Update the endpoint locator address @@ -407,6 +415,7 @@ async fn accept_task( acceptor: TlsAcceptor, token: CancellationToken, manager: NewLinkChannelSender, + tls_handshake_timeout: Duration, ) -> ZResult<()> { async fn accept(socket: &TcpListener) -> ZResult<(TcpStream, SocketAddr)> { let res = socket.accept().await.map_err(|e| zerror!(e))?; @@ -438,7 +447,7 @@ async fn accept_task( // Accept the TLS connection let tls_stream = match tokio::time::timeout( - Duration::from_millis(*TLS_HANDSHAKE_TIMEOUT_MS), + tls_handshake_timeout, acceptor.accept(tcp_stream), ) .await diff --git a/io/zenoh-links/zenoh-link-tls/src/utils.rs b/io/zenoh-links/zenoh-link-tls/src/utils.rs index 2894bcf337..b6e2c69578 100644 --- a/io/zenoh-links/zenoh-link-tls/src/utils.rs +++ b/io/zenoh-links/zenoh-link-tls/src/utils.rs @@ -14,10 +14,11 @@ use std::{ convert::TryFrom, fs::File, - io, - io::{BufReader, Cursor}, + io::{self, BufReader, Cursor}, net::SocketAddr, + str::FromStr, sync::Arc, + time::Duration, }; use rustls::{ @@ -37,7 +38,7 @@ use zenoh_protocol::core::{ }; use zenoh_result::{bail, zerror, ZError, ZResult}; -use crate::config::*; +use crate::config::{self, *}; #[derive(Default, Clone, Copy, Debug)] pub struct TlsConfigurator; @@ -149,6 +150,7 @@ impl ConfigurationInspector for TlsConfigurator { pub(crate) struct TlsServerConfig { pub(crate) server_config: ServerConfig, + pub(crate) tls_handshake_timeout: Duration, } impl TlsServerConfig { @@ -217,7 +219,19 @@ impl TlsServerConfig { .with_single_cert(certs, keys.remove(0)) .map_err(|e| zerror!(e))? }; - Ok(TlsServerConfig { server_config: sc }) + + let tls_handshake_timeout = Duration::from_millis( + config + .get(config::TLS_HANDSHAKE_TIMEOUT_MS) + .map(u64::from_str) + .transpose()? + .unwrap_or(config::TLS_HANDSHAKE_TIMEOUT_MS_DEFAULT), + ); + + Ok(TlsServerConfig { + server_config: sc, + tls_handshake_timeout, + }) } async fn load_tls_private_key(config: &Config<'_>) -> ZResult> {