From 7353ab970c970faf6ff6261711db8c13a847160c Mon Sep 17 00:00:00 2001
From: boli <boli@localhost>
Date: Fri, 18 Sep 2009 20:32:52 +0000
Subject: [PATCH] Fix for issue 4229: Removed call to getHostName for now to prevent the connection handler thread from hanging and causting potential DoS attacks.

---
 opendj-sdk/opends/src/server/org/opends/server/extensions/TLSByteChannel.java |   13 ++++++++++---
 1 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/opendj-sdk/opends/src/server/org/opends/server/extensions/TLSByteChannel.java b/opendj-sdk/opends/src/server/org/opends/server/extensions/TLSByteChannel.java
index d0283eb..084394c 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/extensions/TLSByteChannel.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/extensions/TLSByteChannel.java
@@ -96,9 +96,16 @@
 
         this.socketChannel = socketChannel;
         this.connection = c;
-        String hostName = socketChannel.socket().getInetAddress().getHostName();
-        int port = socketChannel.socket().getPort();
-        sslEngine = sslContext.createSSLEngine(hostName, port);
+      // getHostName could potentially be very expensive and could block
+      // the connection handler for several minutes. (See issue 4229)
+      // Accepting new connections should be done in a seperate thread to
+      // avoid blocking new connections. Just remove for now to prevent
+      // potential DoS attacks. SSL sessions will not be reused and some
+      // cipher suites (such as Kerberos) will not work.
+      //String hostName = socketChannel.socket().getInetAddress().getHostName();
+      //int port = socketChannel.socket().getPort();
+      //sslEngine = sslContext.createSSLEngine(hostName, port);
+        sslEngine = sslContext.createSSLEngine();
         sslEngine.setUseClientMode(false);
         Set<String> protocols = config.getSSLProtocol();
         if (!protocols.isEmpty())

--
Gitblit v1.10.0