mirror of https://github.com/Icinga/icinga2.git
Add ApiListener#tls_handshake_timeout option
This allows to specify the previously hardcoded timeout of 10s. refs #6517
This commit is contained in:
Michael Friedrich
parent
c8d4e785a1
commit
29701b4db5
|
|
@ -64,6 +64,7 @@ Configuration Attributes:
|
|||
max\_anonymous\_clients | Number | **Optional.** Limit the number of anonymous client connections (not configured endpoints and signing requests).
|
||||
cipher\_list | String | **Optional.** Cipher list that is allowed. For a list of available ciphers run `openssl ciphers`. Defaults to `ALL:!LOW:!WEAK:!MEDIUM:!EXP:!NULL`.
|
||||
tls\_protocolmin | String | **Optional.** Minimum TLS protocol version. Must be one of `TLSv1`, `TLSv1.1` or `TLSv1.2`. Defaults to `TLSv1`.
|
||||
tls\_handshake\_timeout | Number | **Optional.** TLS Handshake timeout. Defaults to `10s`.
|
||||
access\_control\_allow\_origin | Array | **Optional.** Specifies an array of origin URLs that may access the API. [(MDN docs)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Allow-Origin)
|
||||
access\_control\_allow\_credentials | Boolean | **Deprecated.** Indicates whether or not the actual request can be made using credentials. Defaults to `true`. [(MDN docs)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Allow-Credentials)
|
||||
access\_control\_allow\_headers | String | **Deprecated.** Used in response to a preflight request to indicate which HTTP headers can be used when making the actual request. Defaults to `Authorization`. [(MDN docs)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Allow-Headers)
|
||||
|
|
|
|||
|
|
@ -49,6 +49,7 @@ String Configuration::RunAsGroup;
|
|||
String Configuration::RunAsUser;
|
||||
String Configuration::SpoolDir;
|
||||
String Configuration::StatePath;
|
||||
double Configuration::TlsHandshakeTimeout{10};
|
||||
String Configuration::VarsPath;
|
||||
String Configuration::ZonesDir;
|
||||
|
||||
|
|
@ -309,6 +310,16 @@ void Configuration::SetStatePath(const String& val, bool suppress_events, const
|
|||
HandleUserWrite("StatePath", &Configuration::StatePath, val, m_ReadOnly);
|
||||
}
|
||||
|
||||
double Configuration::GetTlsHandshakeTimeout() const
|
||||
{
|
||||
return Configuration::TlsHandshakeTimeout;
|
||||
}
|
||||
|
||||
void Configuration::SetTlsHandshakeTimeout(double val, bool suppress_events, const Value& cookie)
|
||||
{
|
||||
HandleUserWrite("TlsHandshakeTimeout", &Configuration::TlsHandshakeTimeout, val, m_ReadOnly);
|
||||
}
|
||||
|
||||
String Configuration::GetVarsPath() const
|
||||
{
|
||||
return Configuration::VarsPath;
|
||||
|
|
|
|||
|
|
@ -108,6 +108,9 @@ public:
|
|||
String GetStatePath() const override;
|
||||
void SetStatePath(const String& value, bool suppress_events = false, const Value& cookie = Empty) override;
|
||||
|
||||
double GetTlsHandshakeTimeout() const override;
|
||||
void SetTlsHandshakeTimeout(double value, bool suppress_events = false, const Value& cookie = Empty) override;
|
||||
|
||||
String GetVarsPath() const override;
|
||||
void SetVarsPath(const String& value, bool suppress_events = false, const Value& cookie = Empty) override;
|
||||
|
||||
|
|
@ -151,6 +154,7 @@ public:
|
|||
static String RunAsUser;
|
||||
static String SpoolDir;
|
||||
static String StatePath;
|
||||
static double TlsHandshakeTimeout;
|
||||
static String VarsPath;
|
||||
static String ZonesDir;
|
||||
|
||||
|
|
|
|||
|
|
@ -146,6 +146,11 @@ abstract class Configuration
|
|||
set;
|
||||
};
|
||||
|
||||
[config, no_storage, virtual] double TlsHandshakeTimeout {
|
||||
get;
|
||||
set;
|
||||
};
|
||||
|
||||
[config, no_storage, virtual] String VarsPath {
|
||||
get;
|
||||
set;
|
||||
|
|
|
|||
|
|
@ -21,6 +21,8 @@
|
|||
#include "base/utility.hpp"
|
||||
#include "base/exception.hpp"
|
||||
#include "base/logger.hpp"
|
||||
#include "base/configuration.hpp"
|
||||
#include "base/convert.hpp"
|
||||
#include <iostream>
|
||||
|
||||
#ifndef _WIN32
|
||||
|
|
@ -315,14 +317,13 @@ void TlsStream::Handshake()
|
|||
m_CurrentAction = TlsActionHandshake;
|
||||
ChangeEvents(POLLOUT);
|
||||
|
||||
boost::system_time const timeout = boost::get_system_time() + boost::posix_time::seconds(TLS_TIMEOUT_SECONDS);
|
||||
boost::system_time const timeout = boost::get_system_time() + boost::posix_time::milliseconds(long(Configuration::TlsHandshakeTimeout * 1000));
|
||||
|
||||
while (!m_HandshakeOK && !m_ErrorOccurred && !m_Eof && timeout > boost::get_system_time())
|
||||
m_CV.timed_wait(lock, timeout);
|
||||
|
||||
// We should _NOT_ (underline, bold, itallic and wordart) throw an exception for a timeout.
|
||||
if (timeout < boost::get_system_time())
|
||||
BOOST_THROW_EXCEPTION(std::runtime_error("Timeout during handshake."));
|
||||
BOOST_THROW_EXCEPTION(std::runtime_error("Timeout was reached (" + Convert::ToString(Configuration::TlsHandshakeTimeout) + ") during TLS handshake."));
|
||||
|
||||
if (m_Eof)
|
||||
BOOST_THROW_EXCEPTION(std::runtime_error("Socket was closed during TLS handshake."));
|
||||
|
|
|
|||
|
|
@ -89,6 +89,16 @@ String ApiListener::GetDefaultCaPath()
|
|||
return GetCertsDir() + "/ca.crt";
|
||||
}
|
||||
|
||||
double ApiListener::GetTlsHandshakeTimeout() const
|
||||
{
|
||||
return Configuration::TlsHandshakeTimeout;
|
||||
}
|
||||
|
||||
void ApiListener::SetTlsHandshakeTimeout(double value, bool suppress_events, const Value& cookie)
|
||||
{
|
||||
Configuration::TlsHandshakeTimeout = value;
|
||||
}
|
||||
|
||||
void ApiListener::CopyCertificateFile(const String& oldCertPath, const String& newCertPath)
|
||||
{
|
||||
struct stat st1, st2;
|
||||
|
|
@ -1453,6 +1463,14 @@ void ApiListener::ValidateTlsProtocolmin(const Lazy<String>& lvalue, const Valid
|
|||
}
|
||||
}
|
||||
|
||||
void ApiListener::ValidateTlsHandshakeTimeout(const Lazy<double>& lvalue, const ValidationUtils& utils)
|
||||
{
|
||||
ObjectImpl<ApiListener>::ValidateTlsHandshakeTimeout(lvalue, utils);
|
||||
|
||||
if (lvalue() <= 0)
|
||||
BOOST_THROW_EXCEPTION(ValidationError(this, { "tls_handshake_timeout" }, "Value must be greater than 0."));
|
||||
}
|
||||
|
||||
bool ApiListener::IsHACluster()
|
||||
{
|
||||
Zone::Ptr zone = Zone::GetLocalZone();
|
||||
|
|
|
|||
|
|
@ -108,6 +108,9 @@ public:
|
|||
static String GetDefaultKeyPath();
|
||||
static String GetDefaultCaPath();
|
||||
|
||||
double GetTlsHandshakeTimeout() const override;
|
||||
void SetTlsHandshakeTimeout(double value, bool suppress_events, const Value& cookie) override;
|
||||
|
||||
protected:
|
||||
void OnConfigLoaded() override;
|
||||
void OnAllConfigLoaded() override;
|
||||
|
|
@ -115,6 +118,7 @@ protected:
|
|||
void Stop(bool runtimeDeleted) override;
|
||||
|
||||
void ValidateTlsProtocolmin(const Lazy<String>& lvalue, const ValidationUtils& utils) override;
|
||||
void ValidateTlsHandshakeTimeout(const Lazy<double>& lvalue, const ValidationUtils& utils) override;
|
||||
|
||||
private:
|
||||
std::shared_ptr<SSL_CTX> m_SSLContext;
|
||||
|
|
|
|||
|
|
@ -54,6 +54,12 @@ class ApiListener : ConfigObject
|
|||
default {{{ return -1; }}}
|
||||
};
|
||||
|
||||
[config] double tls_handshake_timeout {
|
||||
get;
|
||||
set;
|
||||
default {{{ return Configuration::TlsHandshakeTimeout; }}}
|
||||
};
|
||||
|
||||
[config] String ticket_salt;
|
||||
|
||||
[config] Array::Ptr access_control_allow_origin;
|
||||
|
|
|
|||
Loading…
Reference in New Issue