Merge pull request #8479 from Icinga/bugfix/close-anonymous-connections

Close anonymous connections after 10 seconds
2020-11-24 16:44:09 +01:00 · 2020-11-24 16:44:09 +01:00 · 3dcc6c32f3
parent 2a2924855f d1edcb909c
commit 3dcc6c32f3
1 changed files with 31 additions and 8 deletions
--- a/lib/remote/jsonrpcconnection.cpp
+++ b/lib/remote/jsonrpcconnection.cpp
@ -348,6 +348,28 @@ void JsonRpcConnection::CheckLiveness(boost::asio::yield_context yc)
 {
 	boost::system::error_code ec;

+	if (!m_Authenticated) {
+		/* Anonymous connections are normally only used for requesting a certificate and are closed after this request
+		 * is received. However, the request is only sent if the child has successfully verified the certificate of its
+		 * parent so that it is an authenticated connection from its perspective. In case this verification fails, both
+		 * ends view it as an anonymous connection and never actually use it but attempt a reconnect after 10 seconds
+		 * leaking the connection. Therefore close it after a timeout.
+		 */
+
+		m_CheckLivenessTimer.expires_from_now(boost::posix_time::seconds(10));
+		m_CheckLivenessTimer.async_wait(yc[ec]);
+
+		if (m_ShuttingDown) {
+			return;
+		}
+
+		auto remote (m_Stream->lowest_layer().remote_endpoint());
+
+		Log(LogInformation, "JsonRpcConnection")
+			<< "Closing anonymous connection [" << remote.address() << "]:" << remote.port() << " after 10 seconds.";
+
+		Disconnect();
+	} else {
 		for (;;) {
 			m_CheckLivenessTimer.expires_from_now(boost::posix_time::seconds(30));
 			m_CheckLivenessTimer.async_wait(yc[ec]);
@ -365,6 +387,7 @@ void JsonRpcConnection::CheckLiveness(boost::asio::yield_context yc)
 			}
 		}
 	}
+}

 double JsonRpcConnection::GetWorkQueueRate()
 {