[erlang-questions] race candition in ssl_server leading to DoS?

Gaspar Chilingarov nm@REDACTED
Wed Sep 6 20:29:22 CEST 2006


Hello folks!


I've started deploying our yaws based web application and faced strange
problem in the one installation.

Sometimes it completely stops to respond to SSL connections. netstat
shows that it even not listening 443 port. In other hand 80 port is
answering, all internal processes run smoothly, etc...

After some investigation I've found that it fails in esock port program
with "esock: Got connect request while PASSIVE" error, which comes from
lib/ssl/c_src/esock.c, line 819 (R11B-0). This error does not occur on
somehow slow connections (say, DSL), but shows up if people access web
application via 100 MBit LAN. Because of nature of the application,
after load it issues immediately several AJAX simultaneous connections
to server, which start computations/fetching from db. I suspect, that
Erlang VM establishes ssl connections a little bit slower, than they
arrive. In that case user can try to connect between states when socket
is really open and before erlang process tells driver to execute accept
on it.

What you mind - how this situation may be avoided?

-- 
Gaspar Chilingarov

System Administrator,
Network security consulting

t +37493 419763 (mob)
i 63174784
e nm@REDACTED



More information about the erlang-questions mailing list