Skip to content

schannel: lower the maximum allowed time to block to 7 seconds #19205

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bagder wants to merge 2 commits into from
Closed

schannel: lower the maximum allowed time to block to 7 seconds #19205

bagder wants to merge 2 commits into from

Conversation

@bagder
Copy link
Member

@bagder bagder commented Oct 23, 2025

During TLS renegotiation, the schannel_recv_renegotiate() function is allowed to block for a short while. Reduce the maximum allowed time to block from 10 minutes down to 7 seconds.

@bagder
schannel: lower the maximum allowed time to block to 7 seconds
ca5ec51 
During TLS renegotiation, the schannel_recv_renegotiate() function is
allowed to block for a short while. Reduce the maximum allowed time to
block from 10 minutes down to 7 seconds.
@bagder bagder added TLS Windows Windows-specific labels Oct 23, 2025
@bagder bagder marked this pull request as ready for review October 23, 2025 14:28
@jay
Copy link
Member

jay commented Oct 23, 2025

Renegotiation may take longer than that, but to be fair I chose a number (5 minutes) that just seemed reasonable. I don't have any metrics on what is or is not appropriate in these cases.

jay
jay reviewed Oct 23, 2025
View reviewed changes
lib/vtls/schannel.c Outdated
SCH_RENEG_CALLER_IS_SEND
};

#define MAX_REGEG_BLOCK_TIME (7 * 1000) /* 7 seconds in milliseconds */
Copy link
Member

@jay jay Oct 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

REGEG/RENEG but IMO this is really a one line change where you could have set max_renegotiate_ms to 7 * 1000

@bagder
Copy link
Member Author

bagder commented Oct 23, 2025

Renegotiation may take longer than that

Sure, but that would be a very broken setup on extremely long latency and then I think it is better to fail.

this is really a one line change

Sure, but why not "clean up" while there.

@bagder
Copy link
Member Author

bagder commented Oct 24, 2025

I want to merge this and if it really turns into a problem I'm sure people will tell us and then we can adjust it up a little again.

@icing
Copy link
Contributor

icing commented Oct 24, 2025

https://en.wikipedia.org/wiki/7_Seconds_(song)

I'm fine with merging this.

jay
jay approved these changes Oct 24, 2025
View reviewed changes
Copy link
Member

@jay jay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

@bagder bagder closed this in 3e12ed9 Oct 25, 2025
@bagder bagder deleted the bagder/schannel-7seconds branch October 25, 2025 15:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jay jay jay approved these changes

Assignees

No one assigned

Labels

TLS Windows Windows-specific

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bagder @jay @icing