-
Notifications
You must be signed in to change notification settings - Fork 631
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TCP listener stuck while processing TLS handshake #1766
Comments
Ooooh, good find. I hadn't thought about that, but I've seen that too; the TLS connection routinely takes a couple seconds or more to finish the handshake. Seems like the only viable solution is to pull the TLS code out of the Networkstream constructor so that it can run in parallel to the listener continuing to listen... [EDIT] Or - and this is maybe a little clunky - you could make some sort of lazy initializer happen inside AsStream... but if it failed, then we are potentially throwing in unexpected places |
Hmm... You probably don't want to reference DesktopNetworkStream inside DicomServer...?
What if you make an asynchronous method on the listener instead, so it will return the right kind of INetworkStream? Maybe something like this
? [EDIT] Just realized I don't need .ConfigureAwait(false) since it's not awaiting. |
Good call. There is already some "CreateNetworkStream" responsibility in |
Describe the bug
While the TCP listener (DesktopNetworkListener) is processing an SSL handshake, no further connections are accepted.
We are seeing situations in the wild where this SSL handshake is taking a long time, due to protocol mismatch, broken environments or buggy network software meddling with our bytes in transit.
More specifically, the method AuthenticateAsServer can hang for a long time.
See also dotnet/runtime#914, it looks like we're not the only ones running into this.
The good news is that we have 1 minute timeout (default, configurable via DefaultTlsAcceptor) that eventually makes us recover from the situation, but the bad news remains that we don't accept any extra TCP connections while this SSL handshake is frozen.
Today most of this is bugs or faulty setups, but I also imagine a bad actor with malevolent intentions that wants to screw up a DICOM listener somewhere that uses Fellow Oak DICOM. You could DDOS every Fellow Oak DICOM listener if you know how and are able to reach it.
To Reproduce
This is the hard part. I have some Wireshark captures that I still need to analyze, but I can reproduce the issue by manually sending the initial bytes of a TLS 1.2 handshake. Our server keeps waiting for more bytes to arrive (but they never do, in my little test), and I confirmed that spinning up a DicomClient then doesn't work until the bad handshake times out.
Expected behavior
I believe the SSL handshake should be offloaded to a background thread and should not block the main loop that accepts incoming TCP connections. Not only would this be a performance gain in the case of multiple connections, it would also solve this "bug".
Screenshots or test DICOM files
I'll write a unit test, this stuff is hard to reproduce.
Environment
Fellow Oak DICOM version: Latest
OS: Irrelevant
Platform: Irrelevant
The text was updated successfully, but these errors were encountered: