Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.0, 10.1, 10.3.4, 10.2.13
-
10.3.6-1
Description
Specifying a connection timeout for a TLS/SSL connection has no effect. Instead of applying connect_timeout for handshake ssl_do function sets timeout for session:
static int ssl_do(struct st_VioSSLFd *ptr, Vio *vio, long timeout,
|
ssl_handshake_func_t func, unsigned long *errptr)
|
{
|
.....
|
SSL_SESSION_set_timeout(SSL_get_session(ssl), timeout);
|
}
|
The SSL_SESSION_set_timeout is used for setting session timeout values which are linked to SSL resumption. They have nothing to do with timing out a connection. As a bad side effect the session hit rate goes down, especially when specifying a low connection timeout value.
Howto fix:
Check return codes of SSL_connect() function: In case of SSL_ERROR_WANT_READ/ SSL_ERROR_WANT_WRITE loop until handshake finished or connection timeout passed.
Attachments
Issue Links
- relates to
-
MDEV-15341 Disable TLS session tickets
- Closed