SSL socket exhaustion? about asyncio HOT 10 OPEN

Hi,

I didn't dig too deep, but it think that's indeed an issue which should be fixed: it's probably easy to DOS an asyncio server by keeping SSL connections open without completing the handshake.
We don't need to do anything for client SSL streams, wrapping open_connection() (or the equivalent for other streams) in wait_for() with a timeout is sufficient.

I'm interested in working on this. The simplest solution is probably to set a timeout on idle streams. We have to keep in mind that either solution must work for any kind of stream transport.

I can look at how we can update the API to include a timeout argument to the right methods and coroutine functions.

from asyncio.

This would seem to be an easy avenue to exhaust the open file limit of any asyncio server that accepts SSL connections as it is out of the control of the application author.

Should there not be some timeout on SSL handshakes - both initial handshake and shutdown handshake?

from asyncio.

Any progress on this? This is a huge flaw for asyncio SSL servers in a hostile environment.

from asyncio.

here is fix python/cpython#480

from asyncio.

Fantastic, thank you. I hope this can be back-ported to 3.5.x and 3.6.x.

from asyncio.

fix is trivial, we can include it into aiohttp for old python versions.

from asyncio.

aiohttp? Not using that; using simple SSL sockets with raw TCP

from asyncio.

ah, ok. just saw aiohttp in install_requires.
then you can do monkey patch yourself.

from asyncio.

Well I can for myself, but not for my 100 users. As this is a remotely exploitable resource leakage I think it should be backported.

from asyncio.

I mean fix should be included in library that you use. and sure it should be backported, but this will take some time.

from asyncio.