|Summary:||mod_reqtimeout does not timeout during SSL handshakes|
|Component:||mod_reqtimeout||Assignee:||Apache HTTPD Bugs Mailing List <bugs>|
|Attachments:||Allow to configure TLS handshake timeout(s)|
Description apache.bugs 2017-07-16 22:00:19 UTC
It seems that `mod_reqtimeout` timeout only starts when the SSL handshake has been fulfilled. Here is a simple configuration to show the issue: # Ensure that accept filters do not interfere AcceptFilter http none AcceptFilter https none # Apache core timeout Timeout 30 # mod_reqtimeout timeout RequestReadTimeout header=5 body=5 A connection made with `openssl s_client` correctly times out after 5 seconds as expected: user@host:~$ time openssl s_client -quiet -host www.mydomain.test -port 443 depth=0 CN = default.invalid verify error:num=18:self signed certificate verify return:1 depth=0 CN = default.invalid verify return:1 real 0m5.082s user 0m0.006s sys 0m0.016s However a connection made using `telnet` remains during 30 seconds, until Apache core global `Timeout` value expires: user@host:~$ time telnet www.mydomain.test 443 Trying 192.168.0.1... Connected to mydomain.test. Escape character is '^]'. Connection closed by foreign host. real 0m30.028s user 0m0.003s sys 0m0.012s The expected behavior is for this connection to be interrupted after 5 seconds too, as defined in the `RequestReadTimeout` setting. For reference, `mod_reqtimeout` documentation seems to imply that its timeout should cover the SSL handshake ("If a common configuration is used for http and https virtual hosts, the timeouts should not be set too low") which does not seem to the be case here, hence the bug report. Moreover, `mod_reqtimeout` is cited by Wikipedia as the "the official solution supported by the developers" to mitigate Slowloris class of attacks. The fact that it does not impose any timeout on the SSL handshake strongly limits its effectiveness for such use. : https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html : https://en.wikipedia.org/wiki/Slowloris_(computer_security)#Mitigating_the_Slowloris_attack
Comment 1 dferradal 2019-02-15 18:05:10 UTC
as replied in #httpd in irc: mod_reqtimeout deals with HTTP attacks, checks the timing for HTTP requests, including headers, body. HTTP communication does no happen until SSL negotiation has been established correctly. So it is normal openssl timesout with mod_reqtimeout because SSL negotiation has been stablished already. And it is normal telnet timesout with global server config timeout instead of mod_reqtimeout, because SSL negotiation has not been made and thus we are not in http communication yet. I'd declare this INVALID.
Comment 2 Yann Ylavic 2019-02-15 22:26:30 UTC
Right, switching to "enhancement" though, maybe we can have a new handshake=timeout[-maxtimeout][,MinRate=rate] setting which would act at the TLS handhake level. Will look into this, unless one beats me to it :)
Comment 3 Yann Ylavic 2019-02-15 23:38:21 UTC
Created attachment 36438 [details] Allow to configure TLS handshake timeout(s) Something like this.
Comment 4 Yann Ylavic 2019-02-19 18:25:50 UTC