Networking: deadline pass across TCP connect, TLS handshake, HTTP request #484

New issue

Closed

opened 2026-05-13 17:04:01 +00:00 by navicore · 1 comment

navicore commented 2026-05-13 17:04:01 +00:00

Owner

Copy link

Networking — deadline pass across TCP / TLS / HTTP

Largest single follow-up from the PR1–PR5 networking arc. Three IO layers each have an unbounded-park hazard today; they want one coherent deadline mechanism rather than three independent ones.

The three hazards

• Connect timeout (deferred from PR2 #478)
  may::net::TcpStream::connect parks the strand for the full OS SYN timeout (~60–130s on Linux) against a silent peer. No caller-side bound.

• TLS handshake timeout (deferred from PR3 #479)
  ClientConnection::complete_io drives reads/writes until handshake succeeds, fails, or the peer goes mute forever. Stacks on top of connect timeout — a partly-broken peer can park a strand for SYN_timeout + handshake_indefinite.

  PR3 reviewer:

  "Combined with PR2's missing connect timeout, a strand can park for OS-SYN-timeout + indefinite-handshake-time on a partly broken peer. Same shape as the PR2 follow-up — worth grouping into a 'deadline' pass once."

• HTTP per-request timeout / EOF-framed body hang (deferred from PR4 #480)
  No deadline at all. The worst-case shape is a response with neither Content-Length nor chunked encoding: the client reads until EOF, which an attacker-controlled server can stretch indefinitely. Currently documented in STDLIB_REFERENCE.md v1 limitations:

  "The worst-case shape under this gap is a response with neither Content-Length nor Transfer-Encoding: chunked (EOF-framed body): the client reads until EOF, which an attacker-controlled server can stretch indefinitely. Content-Length and chunked responses are bounded by their own framing and by MAX_BODY_SIZE (10 MB)."

Why one design, not three

The hazards share machinery: each needs a deadline plumbed through cooperative IO that the may scheduler can use to wake the strand on expiry. The reviewers explicitly grouped them across PR2/3/4:

"A deadline pass across the networking stack is a planned follow-up (alongside the connect-timeout gap inherited from PR2 and the handshake-timeout gap from PR3)."
— PR4 STDLIB_REFERENCE doc

Open design questions (resolve via /design before any code)

• API shape: per-call argument? Per-strand deadline that all IO inside the strand inherits? Both?
• May-aware deadline primitive: do we need a new crate::time::deadline helper, or compose existing strand-cancel mechanisms (strand.weave-cancel and friends)?
• Granularity: connect + handshake + request as one bound, or distinct bounds per phase?
• Behaviour on expiry: drop the strand mid-IO and return an error map, or surface a typed timeout error distinct from connection failures? How does this interact with the HTTP idempotent-retry path?
• TLS specifics: rustls's complete_io may need a wrapping loop that checks deadline between rounds, since rustls itself has no deadline parameter.

Rough scope

Multi-PR.

1. /design cycle to settle the API + the may-aware deadline primitive.
2. First PR: deadline primitive + net.tcp.connect timeout (smallest consumer).
3. Subsequent PRs: migrate TLS handshake (net.tls.client), then HTTP request (net.http.*) to the same primitive.

Probably 1–2 weeks of focused work plus design discussion.

## Networking — deadline pass across TCP / TLS / HTTP Largest single follow-up from the PR1–PR5 networking arc. Three IO layers each have an unbounded-park hazard today; they want one coherent deadline mechanism rather than three independent ones. ### The three hazards - **Connect timeout** (deferred from PR2 #478) `may::net::TcpStream::connect` parks the strand for the full OS SYN timeout (~60–130s on Linux) against a silent peer. No caller-side bound. - **TLS handshake timeout** (deferred from PR3 #479) `ClientConnection::complete_io` drives reads/writes until handshake succeeds, fails, or the peer goes mute forever. Stacks on top of connect timeout — a partly-broken peer can park a strand for `SYN_timeout + handshake_indefinite`. PR3 reviewer: > "Combined with PR2's missing connect timeout, a strand can park for OS-SYN-timeout + indefinite-handshake-time on a partly broken peer. Same shape as the PR2 follow-up — worth grouping into a 'deadline' pass once." - **HTTP per-request timeout / EOF-framed body hang** (deferred from PR4 #480) No deadline at all. The worst-case shape is a response with neither `Content-Length` nor chunked encoding: the client reads until EOF, which an attacker-controlled server can stretch indefinitely. Currently documented in `STDLIB_REFERENCE.md` v1 limitations: > "The worst-case shape under this gap is a response with neither `Content-Length` nor `Transfer-Encoding: chunked` (EOF-framed body): the client reads until EOF, which an attacker-controlled server can stretch indefinitely. `Content-Length` and chunked responses are bounded by their own framing and by `MAX_BODY_SIZE` (10 MB)." ### Why one design, not three The hazards share machinery: each needs a deadline plumbed through cooperative IO that the may scheduler can use to wake the strand on expiry. The reviewers explicitly grouped them across PR2/3/4: > "A deadline pass across the networking stack is a planned follow-up (alongside the connect-timeout gap inherited from PR2 and the handshake-timeout gap from PR3)." > — PR4 STDLIB_REFERENCE doc ### Open design questions (resolve via `/design` before any code) - **API shape**: per-call argument? Per-strand deadline that all IO inside the strand inherits? Both? - **May-aware deadline primitive**: do we need a new `crate::time::deadline` helper, or compose existing strand-cancel mechanisms (`strand.weave-cancel` and friends)? - **Granularity**: connect + handshake + request as one bound, or distinct bounds per phase? - **Behaviour on expiry**: drop the strand mid-IO and return an error map, or surface a typed timeout error distinct from connection failures? How does this interact with the HTTP idempotent-retry path? - **TLS specifics**: rustls's `complete_io` may need a wrapping loop that checks deadline between rounds, since rustls itself has no deadline parameter. ### Rough scope Multi-PR. 1. `/design` cycle to settle the API + the may-aware deadline primitive. 2. First PR: deadline primitive + `net.tcp.connect` timeout (smallest consumer). 3. Subsequent PRs: migrate TLS handshake (`net.tls.client`), then HTTP request (`net.http.*`) to the same primitive. Probably 1–2 weeks of focused work plus design discussion.

navicore referenced this issue from a commit 2026-05-14 13:51:10 +00:00

● CI is green. Issue #484 deadline pass complete.

navicore referenced this issue 2026-05-14 13:52:23 +00:00

● CI is green. Issue #484 deadline pass complete. #488

navicore commented 2026-05-14 13:52:42 +00:00

Author

Owner

Copy link

#488

https://git.navicore.tech/navicore/patch-seq/pulls/488

navicore closed this issue 2026-05-14 13:52:43 +00:00

navicore referenced this issue from a pull request that will close it, 2026-05-14 14:17:01 +00:00

● CI is green. Issue #484 deadline pass complete. #488

navicore referenced this issue from a commit 2026-05-14 15:29:13 +00:00

Merge pull request '● CI is green. Issue #484 deadline pass complete.' (#488) from issue-484 into main

navicore referenced this issue from a commit 2026-05-14 15:35:20 +00:00

- docs/BATTERIES_INCLUDED.md — replaced four ureq references with the hand-rolled HTTP/1.1 reality; expanded the

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

renovate/sha2-0.x

renovate/rcgen-0.x

renovate/rand-0.x

renovate/pbkdf2-0.x

renovate/hmac-0.x

v7.6.0

v7.5.7

v7.5.6

v7.4.5

v7.4.4

v7.4.3

v7.4.2

v7.4.1

v7.4.0

v7.3.0

v7.2.1

v7.2.0

v7.1.0

v7.0.0

v6.6.2

v6.6.1

v6.6.0

v6.5.3

v6.5.2

v6.5.1

v6.5.0

v6.4.2

v6.4.1

v6.4.0

v6.3.0

v6.2.2

v6.2.1

v6.2.0

v6.1.2

v6.1.1

v6.1.0

v6.0.0

v5.7.1

v5.7.0

v5.6.5

v5.6.4

v5.6.3

v5.6.2

v5.6.1

v5.6.0

v5.5.1

v5.5.0

v5.4.1

v5.4.0

v5.3.0

v5.2.1

v5.2.0

v5.1.1

v5.1.0

v5.0.0

v4.2.1

v4.2.0

v4.1.0

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.1.0

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.0

v2.1.0

v2.0.1

v2.0.0

v1.1.1

v1.1.0

v1.0.6

v1.0.5

v1.0.4

v1.0.3

v1.0.2

v1.0.1

v1.0.0

v0.21.0

v0.20.1

v0.20.0

v0.19.12

v0.19.11

v0.19.10

v0.19.9

v0.19.8

v0.19.7

v0.19.6

v0.19.5

v0.19.4

v0.19.3

v0.19.2

v0.19.1

v0.19.0

v0.18.8

v0.18.7

v0.18.6

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.1

v0.14.0

v0.13.0

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.0

v0.10.7

v0.10.6

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.1

v0.9.0

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.4

v0.3.3

v0.3.2

v0.3.1

Labels

Clear labels   

bug

Something isn't working

  

dependencies

Pull requests that update a dependency file

  

documentation

Improvements or additions to documentation

  

duplicate

This issue or pull request already exists

  

enhancement

New feature or request

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

invalid

This doesn't seem right

  

question

Further information is requested

  

refactor

Code refactoring and cleanup

  

rust

Pull requests that update rust code

  

technical-debt

Technical debt to address

  

wontfix

This will not be worked on

No labels

bug

dependencies

documentation

duplicate

enhancement

good first issue

help wanted

invalid

question

refactor

rust

technical-debt

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

navicore/patch-seq#484

No description provided.