id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
2235	Allow setting TLS handshake timeouts for http(/2)	ltning@…		"Currently only the stream_ssl module supports any kind of tuning of the TLS handshake. We are seeing frequent and high-impact DDoS attacks where part of the attack consists of opening connections to nginx but never starting or completing the TLS handshake.

We could use a way to define
- max time until TLS handshake begins (after TCP establish)
- max time for TLS handshake to complete (after first TLS message)

Both of the above should be configurable in seconds or, better, fractions of seconds.

We use TCP initial timeouts on the network layer and SYN cookies in the IP stack to manage those attack vectors."	enhancement	closed	minor		nginx-module		wontfix	ssl tls dos ddos		FreeBSD xxx.xxx.xxx 13.0-RELEASE-p1 FreeBSD 13.0-RELEASE-p1 amd64	"nginx version: nginx/1.20.1
built with OpenSSL 1.1.1k-freebsd  25 Mar 2021
TLS SNI support enabled
configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I /usr/local/include' --with-ld-opt='-L /usr/local/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=www --group=www --with-compat --modules-path=/usr/local/libexec/nginx --with-file-aio --with-google_perftools_module --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx/access.log --with-http_v2_module --with-http_addition_module --with-http_auth_request_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_realip_module --with-pcre --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --without-mail_pop3_module --with-mail_ssl_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --add-module=/wrkdirs/usr/ports/www/nginx/work/nginx-module-vts-0.1.18 --with-http_image_filter_module=dynamic --with-http_xslt_module=dynamic --with-mail=dynamic --with-stream=dynamic --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/ngx_devel_kit-0.3.1 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/ngx_http_auth_pam_module-1.5.1 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/ngx-fancyindex-0.5.1 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/lua-nginx-module-0.10.19 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/ModSecurity-nginx-1.0.1 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/set-misc-nginx-module-4667684 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/passenger-6.0.8/src/nginx_module"