Opened 4 weeks ago

Closed 4 weeks ago

#2235 closed enhancement (wontfix)

Allow setting TLS handshake timeouts for http(/2)

Reported by: ltning@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version:
Keywords: ssl tls dos ddos Cc:
uname -a: FreeBSD xxx.xxx.xxx 13.0-RELEASE-p1 FreeBSD 13.0-RELEASE-p1 amd64
nginx -V: nginx version: nginx/1.20.1
built with OpenSSL 1.1.1k-freebsd 25 Mar 2021
TLS SNI support enabled
configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I /usr/local/include' --with-ld-opt='-L /usr/local/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=www --group=www --with-compat --modules-path=/usr/local/libexec/nginx --with-file-aio --with-google_perftools_module --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx/access.log --with-http_v2_module --with-http_addition_module --with-http_auth_request_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_realip_module --with-pcre --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --without-mail_pop3_module --with-mail_ssl_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --add-module=/wrkdirs/usr/ports/www/nginx/work/nginx-module-vts-0.1.18 --with-http_image_filter_module=dynamic --with-http_xslt_module=dynamic --with-mail=dynamic --with-stream=dynamic --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/ngx_devel_kit-0.3.1 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/ngx_http_auth_pam_module-1.5.1 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/ngx-fancyindex-0.5.1 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/lua-nginx-module-0.10.19 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/ModSecurity-nginx-1.0.1 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/set-misc-nginx-module-4667684 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/passenger-6.0.8/src/nginx_module

Description

Currently only the stream_ssl module supports any kind of tuning of the TLS handshake. We are seeing frequent and high-impact DDoS attacks where part of the attack consists of opening connections to nginx but never starting or completing the TLS handshake.

We could use a way to define

  • max time until TLS handshake begins (after TCP establish)
  • max time for TLS handshake to complete (after first TLS message)

Both of the above should be configurable in seconds or, better, fractions of seconds.

We use TCP initial timeouts on the network layer and SYN cookies in the IP stack to manage those attack vectors.

Change History (1)

comment:1 by Maxim Dounin, 4 weeks ago

Resolution: wontfix
Status: newclosed

SSL handshake time in the HTTP module is limited by the client_header_timeout time. Given there is no real difference between completed SSL handshake and incomplete HTTP request header and incomplete SSL handshake, there are no plans to introduce additional timeouts here.

Note: See TracTickets for help on using tickets.