I'm using for a specific configuration an SSL cluster with Listen-SSL-Client authentication enable (authenticate via SSL client certificate).
After the 3-way TCP handshake, the DX requests the client to authenticate with a client certificate. Is there a 'timeout' configured/configurable for the authentication to occur before closing the TCP connection (to avoid DOS attacks by not showing the certificate) ?
There is no configurable setting to timeout SSL client authentication for clusters/forwarders. Once a TCP session is established to a cluster/forwarder the DX will keep the connection open, even if no HTTP request is sent. If the connection count is getting near the maximum allowed connections the DX performs reaping cycles and closes connections it deems to be idle, to free up resources.
For SLB/ActiveN groups, there are configurable timers:
Possible arguments for "set slb session timeout": ackwait set global SLB Ack-Wait timeout active set global SLB active session timeout closewait set global SLB Fin-Wait session timeout
Three purge criteria can be used to end a session:
ackwait: Three way TCP handshake has not completed within specified time
(default is 6 seconds).
active: No active sessions are present within the specified time (default is 90
closewait: Sessions are terminated by the client (default is 12 seconds).
TCP Keep-alives can also be enabled with factory settings to test conections, to see if they have been closed silently by the client and/or target server.