mirror of
https://github.com/ruby/ruby.git
synced 2025-08-16 14:09:02 +02:00

webrick: do not hang acceptor on slow TLS connections OpenSSL::SSL::SSLSocket#accept may block indefinitely on clients which negotiate the TCP connection, but fail (or are slow) to negotiate the subsequent TLS handshake. This prevents the multi-threaded WEBrick server from accepting other connections. Since the TLS handshake (via OpenSSL::SSL::SSLSocket#accept) consists of normal read/write traffic over TCP, handle it in the per-client thread, instead. Furthermore, using non-blocking accept() is useful for non-TLS sockets anyways because spurious wakeups are possible from select(2). * lib/webrick/server.rb (accept_client): use TCPServer#accept_nonblock and remove OpenSSL::SSL::SSLSocket#accept call * lib/webrick/server.rb (start_thread): call OpenSSL::SSL::SSLSocket#accept * test/webrick/test_ssl_server.rb (test_slow_connect): new test [ruby-core:83221] [Bug #14005] webrick: fix up r60172 By making the socket non-blocking in r60172, TLS/SSL negotiation via the SSL_accept function must handle non-blocking sockets properly and retry on SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE. OpenSSL::SSL::SSLSocket#accept cannot do that properly with a non-blocking socket, so it must use non-blocking logic of OpenSSL::SSL::SSLSocket#accept_nonblock. Thanks to MSP-Greg (Greg L) for finding this. * lib/webrick/server.rb (start_thread): use SSL_accept properly with non-blocking socket. [Bug #14013] [Bug #14005] webrick: fix up r60172 and revert r60189 Thanks to MSP-Greg (Greg L) for helping with this. * lib/webrick/server.rb (start_thread): ignore ECONNRESET, ECONNABORTED, EPROTO, and EINVAL on TLS negotiation errors the same way they were ignored before r60172 in the accept_client method of the main acceptor thread. [Bug #14013] [Bug #14005] webrick: fix up r60172 and r60208 Thanks to MSP-Greg (Greg L) for helping with this. * lib/webrick/server.rb (start_thread): fix non-local return introduced in r60208 webrick: fix up r60172 and r60210 Thanks to MSP-Greg (Greg L) for helping with this. * lib/webrick/server.rb (start_thread): properly fix non-local return introduced in r60208 and r60210 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@61240 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
60 lines
1.5 KiB
Ruby
60 lines
1.5 KiB
Ruby
require "test/unit"
|
|
require "webrick"
|
|
require "webrick/ssl"
|
|
require_relative "utils"
|
|
require 'timeout'
|
|
|
|
class TestWEBrickSSLServer < Test::Unit::TestCase
|
|
class Echo < WEBrick::GenericServer
|
|
def run(sock)
|
|
while line = sock.gets
|
|
sock << line
|
|
end
|
|
end
|
|
end
|
|
|
|
def test_self_signed_cert_server
|
|
assert_self_signed_cert(
|
|
:SSLEnable => true,
|
|
:SSLCertName => [["C", "JP"], ["O", "www.ruby-lang.org"], ["CN", "Ruby"]],
|
|
)
|
|
end
|
|
|
|
def assert_self_signed_cert(config)
|
|
TestWEBrick.start_server(Echo, config){|server, addr, port, log|
|
|
io = TCPSocket.new(addr, port)
|
|
sock = OpenSSL::SSL::SSLSocket.new(io)
|
|
sock.connect
|
|
sock.puts(server.ssl_context.cert.subject.to_s)
|
|
assert_equal("/C=JP/O=www.ruby-lang.org/CN=Ruby\n", sock.gets, log.call)
|
|
sock.close
|
|
io.close
|
|
}
|
|
end
|
|
|
|
def test_slow_connect
|
|
poke = lambda do |io, msg|
|
|
begin
|
|
sock = OpenSSL::SSL::SSLSocket.new(io)
|
|
sock.connect
|
|
sock.puts(msg)
|
|
assert_equal "#{msg}\n", sock.gets, msg
|
|
ensure
|
|
sock&.close
|
|
io.close
|
|
end
|
|
end
|
|
config = {
|
|
:SSLEnable => true,
|
|
:SSLCertName => [["C", "JP"], ["O", "www.ruby-lang.org"], ["CN", "Ruby"]],
|
|
}
|
|
Timeout.timeout(10) do
|
|
TestWEBrick.start_server(Echo, config) do |server, addr, port, log|
|
|
outer = TCPSocket.new(addr, port)
|
|
inner = TCPSocket.new(addr, port)
|
|
poke.call(inner, 'fast TLS negotiation')
|
|
poke.call(outer, 'slow TLS negotiation')
|
|
end
|
|
end
|
|
end
|
|
end
|