[Twisted-Python] connectionMade, TLS and DoS protection timeouts

exarkun at twistedmatrix.com exarkun at twistedmatrix.com
Wed Feb 29 09:12:47 EST 2012

On 28 Feb, 11:42 pm, tobias.oberstein at tavendo.de wrote:
>I was wondering how I could protect a Twisted server from evil clients 
>but never completing a TLS handshake.
>connectionMade is only called when the TLS handshake has completed, 

Actually, this is not right.  It's sort of a wart, but connectionMade is 
called when the underlying TCP connection is established.  The TLS 
handshake will always complete at some later time.

One reason we (or at least I) have not yet really tried to change this 
is that doing so would make it harder to address just the problem you're 
talking about.

>When doing listenSSL, is there a hook which is fired right after the 
>TCP handshake is
>complete, before the TLS handshake begins, so that I can setup a 
>This is the piece I am missing, since for TCP-level protection (Syn 
>floods etc), I can
>use kernel parameters / kernel packet filtering, and for app-level 
>(I do WebSockets .. which also has a handshake) I can timeout that.
>I like to do above without requiring a frontend TLS terminator / 
>firewall ..

More information about the Twisted-Python mailing list