SSL: Use sane defaults as limits for the client hello length and timeout#16871
Merged
Conversation
Motivation: There were various issues here... first of in SslClientHelloHandler we used 16MB as default maximum limit for the client hello which could lead to huge memory usage. Second we used no limit at all and no timeout in AbstractSniHandler and its subclasses which is even worse. Modifications: - Use 64KB as default limit - Use 10 seconds as default timeout (same as in SslHandler) Result: Saner defaults which helps to guard against high memory usage
normanmaurer
added
the
needs-cherry-pick-5.0
Contributor
|
Auto-port PR for 5.0: #16897 |
github-actions
Bot
removed
the
needs-cherry-pick-5.0
chrisvest
pushed a commit
that referenced
this pull request
Jun 4, 2026
…length and timeout (#16897) Auto-port of #16871 to 5.0 Cherry-picked commit: 829c885 --- Motivation: There were various issues here... first of in SslClientHelloHandler we used 16MB as default maximum limit for the client hello which could lead to huge memory usage. Second we used no limit at all and no timeout in AbstractSniHandler and its subclasses which is even worse. Modifications: - Use 64KB as default limit - Use 10 seconds as default timeout (same as in SslHandler) Result: Saner defaults which helps to guard against high memory usage Co-authored-by: Norman Maurer <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation:
There were various issues here... first of in SslClientHelloHandler we used 16MB as default maximum limit for the client hello which could lead to huge memory usage. Second we used no limit at all and no timeout in AbstractSniHandler and its subclasses which is even worse.
Modifications:
Result:
Saner defaults which helps to guard against high memory usage