H3 handshake phase #3158

New issue

Closed

opened 2026-03-16 11:28:27 +03:00 by kerem · 0 comments

kerem commented

2026-03-16 11:28:27 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hickory-dns/hickory-dns/pull/2583
Author: @japaric
Created: 11/18/2024
Status: ✅ Merged
Merged: 11/27/2024
Merged by: @djc

Base: main ← Head: ja-tls-handshake-timeout

📝 Commits (10+)

04905e2 conformance: add util/dns to Docker image
82d3113 conformance: make the low level Container API public
1d82a1d conformance: add netcat to client Docker image
9f1f508 e2e-tests: test client against unresponsive TLS server
62affb3 proto: apply timeout to TLS handshake phase
ea50554 extend test to DoT, DoQ and DoH3 protocols
f4fa036 proto: apply handshake timeout to DoT
b5754e2 proto: define constant for TCP handshake timeout
4e9ffce proto: apply handshake timeout to QUIC
9926433 proto: apply timeout to the H3 handshake phase

📊 Changes

12 files changed (+185 additions, -24 deletions)

View changed files

📝 conformance/packages/dns-test/src/container.rs (+4 -0)
📝 conformance/packages/dns-test/src/docker/client.Dockerfile (+2 -1)
📝 conformance/packages/dns-test/src/docker/hickory.Dockerfile (+5 -2)
📝 conformance/packages/dns-test/src/lib.rs (+1 -1)
📝 crates/proto/src/h2/h2_client_stream.rs (+26 -7)
📝 crates/proto/src/h3/h3_client_stream.rs (+23 -3)
📝 crates/proto/src/quic/quic_client_stream.rs (+23 -3)
📝 crates/proto/src/runtime.rs (+3 -1)
📝 crates/proto/src/rustls/tls_stream.rs (+14 -6)
📝 crates/proto/src/xfer/mod.rs (+17 -0)
➕ tests/e2e-tests/src/client.rs (+66 -0)
📝 tests/e2e-tests/src/lib.rs (+1 -0)

📄 Description

a timeout is applied to the TCP connection phase but no timeout is applied to TLS handshake. this results in clients "hanging" (blocking forever) when trying to establish a TLS connection to a DNS server.

this PR applies a timeout to the TLS handshake to prevent the problem.

an E2E test has been added to serve as a regression test.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hickory-dns/hickory-dns/pull/2583 **Author:** [@japaric](https://github.com/japaric) **Created:** 11/18/2024 **Status:** ✅ Merged **Merged:** 11/27/2024 **Merged by:** [@djc](https://github.com/djc) **Base:** `main` ← **Head:** `ja-tls-handshake-timeout` --- ### 📝 Commits (10+) - [`04905e2`](https://github.com/hickory-dns/hickory-dns/commit/04905e2639054c61bc686da647dfa5dd554634a7) conformance: add util/dns to Docker image - [`82d3113`](https://github.com/hickory-dns/hickory-dns/commit/82d3113462fe130116c789ef5b824b86b341bb7c) conformance: make the low level Container API public - [`1d82a1d`](https://github.com/hickory-dns/hickory-dns/commit/1d82a1d91d4175e17b0838b53e2483aff6e78284) conformance: add netcat to client Docker image - [`9f1f508`](https://github.com/hickory-dns/hickory-dns/commit/9f1f508b286be469c286d539153a5ad86a2ca8c1) e2e-tests: test client against unresponsive TLS server - [`62affb3`](https://github.com/hickory-dns/hickory-dns/commit/62affb3ae4af502941bb844389ef41ed88f8c331) proto: apply timeout to TLS handshake phase - [`ea50554`](https://github.com/hickory-dns/hickory-dns/commit/ea505542c9e5bee84cc1945a656f5fcca27d1eaa) extend test to DoT, DoQ and DoH3 protocols - [`f4fa036`](https://github.com/hickory-dns/hickory-dns/commit/f4fa0367dfb0ca64a211fb3c69176f504af0f62d) proto: apply handshake timeout to DoT - [`b5754e2`](https://github.com/hickory-dns/hickory-dns/commit/b5754e28237a5dc5a950187ddbd94034ed0cd9a7) proto: define constant for TCP handshake timeout - [`4e9ffce`](https://github.com/hickory-dns/hickory-dns/commit/4e9ffce2c48b9176fcf60d6520cb1199d7207be4) proto: apply handshake timeout to QUIC - [`9926433`](https://github.com/hickory-dns/hickory-dns/commit/99264332cd5a0127961fd22773f5cdc332c9aa5d) proto: apply timeout to the H3 handshake phase ### 📊 Changes **12 files changed** (+185 additions, -24 deletions) <details> <summary>View changed files</summary> 📝 `conformance/packages/dns-test/src/container.rs` (+4 -0) 📝 `conformance/packages/dns-test/src/docker/client.Dockerfile` (+2 -1) 📝 `conformance/packages/dns-test/src/docker/hickory.Dockerfile` (+5 -2) 📝 `conformance/packages/dns-test/src/lib.rs` (+1 -1) 📝 `crates/proto/src/h2/h2_client_stream.rs` (+26 -7) 📝 `crates/proto/src/h3/h3_client_stream.rs` (+23 -3) 📝 `crates/proto/src/quic/quic_client_stream.rs` (+23 -3) 📝 `crates/proto/src/runtime.rs` (+3 -1) 📝 `crates/proto/src/rustls/tls_stream.rs` (+14 -6) 📝 `crates/proto/src/xfer/mod.rs` (+17 -0) ➕ `tests/e2e-tests/src/client.rs` (+66 -0) 📝 `tests/e2e-tests/src/lib.rs` (+1 -0) </details> ### 📄 Description a timeout is applied to [the TCP connection phase](https://github.com/hickory-dns/hickory-dns/blob/d40f11fb7307f9fb9707750dea6619220802ba98/crates/proto/src/runtime.rs#L182) but no timeout is applied to TLS handshake. this results in clients "hanging" (blocking forever) when trying to establish a TLS connection to a DNS server. this PR applies a timeout to the TLS handshake to prevent the problem. an E2E test has been added to serve as a regression test. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>