From b026fb80bdc790d67d18a2e34a146e279c6c4653 Mon Sep 17 00:00:00 2001 From: Tinet-mucw Date: Sun, 26 Oct 2025 22:57:32 -0700 Subject: [PATCH] iostream.c: Handle TLS handshake attacks in order to resolve the issue of exceeding the maximum number of HTTPS sessions. The TCP three-way handshake completes, but if the server is under a TLS handshake attack, asterisk will get stuck at SSL_do_handshake(). In this case, a timeout mechanism should be set for the SSL/TLS handshake process to prevent indefinite waiting during the SSL handshake. Resolves: #1559 --- main/iostream.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/main/iostream.c b/main/iostream.c index e165abe410..980bbf40c1 100644 --- a/main/iostream.c +++ b/main/iostream.c @@ -630,6 +630,9 @@ int ast_iostream_start_tls(struct ast_iostream **pstream, SSL_CTX *ssl_ctx, int struct ast_iostream *stream = *pstream; int (*ssl_setup)(SSL *) = client ? SSL_connect : SSL_accept; int res; + struct timeval rcv_timeout, snd_timeout; + struct timeval timeout; + socklen_t len; stream->ssl = SSL_new(ssl_ctx); if (!stream->ssl) { @@ -655,6 +658,18 @@ int ast_iostream_start_tls(struct ast_iostream **pstream, SSL_CTX *ssl_ctx, int } } + /* Get current socket timeout values */ + len = sizeof(rcv_timeout); + getsockopt(stream->fd, SOL_SOCKET, SO_RCVTIMEO, &rcv_timeout, &len); + len = sizeof(snd_timeout); + getsockopt(stream->fd, SOL_SOCKET, SO_SNDTIMEO, &snd_timeout, &len); + + /* Set socket timeout for SSL handshake to prevent hanging connections and allow SSL handshake to timeout */ + timeout.tv_sec = 30; /* 30 second timeout for SSL handshake */ + timeout.tv_usec = 0; + setsockopt(stream->fd, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)); + setsockopt(stream->fd, SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof(timeout)); + res = ssl_setup(stream->ssl); if (res <= 0) { int sslerr = SSL_get_error(stream->ssl, res); @@ -666,6 +681,10 @@ int ast_iostream_start_tls(struct ast_iostream **pstream, SSL_CTX *ssl_ctx, int return -1; } + /* Restore socket timeouts from SSL handshake */ + setsockopt(stream->fd, SOL_SOCKET, SO_RCVTIMEO, &rcv_timeout, sizeof(rcv_timeout)); + setsockopt(stream->fd, SOL_SOCKET, SO_SNDTIMEO, &snd_timeout, sizeof(snd_timeout)); + return 0; #else ast_log(LOG_ERROR, "SSL not enabled in this build\n"); -- 2.47.3