|
Andrzej Wójcik (Tigase) opened 4 years ago
|
|
|
As this is a change that could break a thing or two (I have not encountered any issues while testing), I've created a separate branch named the issue id. Please review it and let me know if anything should be changed. (it is based on |
|
|
This feature can be disabled with the following option added to the |
| Type |
Bug
|
| Priority |
Normal
|
| Assignee | |
| Version |
tigase-server-8.2.0
|
| Spent time |
6h
|
Issue Votes (0)
Watchers (0)
TLS infinity loop may impact Tigase XMPP Server and could be used for a DDoS attack on Tigase XMPP Server.
If a malicious client would initiate a stream and then send
<starttls/>and then would not send any data, the TLS handshake will not be completed (will not succeed nor fail). At some point, the authentication timeout will be exceeded and the server will try to send</stream:stream>just before closing TCP connection.Unfortunately, as the TLS handshake is not completed, TLS layer returns info that it needs to read data from the socket - but there is no data to read! At this point, we try to do that in the loop which was reduced in recent versions to 1000 iterations, which creates an impact on CPU usage and blocks processing on the
c2scomponent thread (asCLOSEcommand needs to be executed synchronously - so we need to send stream close also synchronously).A single client will not do a lot of harm, but many clients doing the same thing would lead to high CPU usage and block processing at the
c2scomponent, effectively blocking any C2S communication.Created based on a report from GitHub and analysis of the issue.