(PUP-1411) Initialize OpenSSL before starting TCP connection
Ruby's Net::HTTP#connect method makes a TCP connection before it creates
the OpenSSL::SSL::SSLContext and invokes the SSLSocket#connect method:
def connect
s = timeout(@open_timeout) { TCPSocket.open(conn_address(), conn_port()) }
if use_ssl?
...
@ssl_context = OpenSSL::SSL::SSLContext.new
s = OpenSSL::SSL::SSLSocket.new(s, @ssl_context)
...
end
...
timeout(@open_timeout) { s.connect }Between the time that the TCP connection is established (TCPSocket.open)
and when the client starts the SSL handshake (SSLSocket#connect), the server
must hold the TCP connection open[1].
The first time this code path is taken on the client, the call to
SSLContext.new causes the openssl library to be initialized. This can
take a non-trivial amount of time and is highly platform dependent, e.g.
openssl will initialize the cryptographically strong pseudo-random
number generator. On Windows, this typically calls CryptGenRandom among
other things.
In our CI environment, we are seeing this call take upwards of 7
seconds on Windows agents. If the agent connects to a webrick
puppetmaster, then the server will only hold the connection open for 6.2
seconds. See redmine #4762 and commit 711344836. This can lead to the
puppetmaster closing the connection, to protect against DoS attacks.
This commit ensures that we initialize the openssl library prior to
establishing the TCP connection. This reduces the amount of time the
server needs to wait for the client to send the CLIENT_HELLO message and
decreases the likelihood that the server will timeout the connection
unnecessarily.