TLS handshakes on port 443 must complete within a configurable period, otherwise they will be forcibly terminated. By default, this period is 10 seconds. If smart card authentication is enabled, TLS handshakes on port 443 can complete within 100 seconds.

If required, you can adjust the time for TLS handshakes on port 443 by adding the following property to the locked.properties file:

handshakeLifetime = lifetime_in_seconds

For example:

handshakeLifetime = 20

Optionally, the client that is responsible for an over-running TLS handshake can be automatically added to a blacklist. New connections from blacklisted clients are delayed for a configurable period before being processed so that connections from other clients take priority. You can enable this feature by adding the following property to the locked.properties file:

secureHandshakeDelay = delay_in_milliseconds

For example:

secureHandshakeDelay = 2000

To disable blacklisting of HTTPS connections, remove the secureHandshakeDelay entry or set it to 0.

The IP address of a misbehaving client is added to the blacklist for a minimum period equal to the sum of handshakeLifetime and secureHandshakeDelay.

Using the values in the examples above, the IP address of a misbehaving client is 22 seconds

(20 * 1000) + 2000 = 22 seconds

The minimum period is extended each time a connection from the same IP address misbehaves. The IP address is removed from the blacklist after the minimum period has expired and after the last delayed connection from that IP address has been processed.

A TLS handshake over-run is not the only reason to blacklist a client. Other reasons include a series of abandoned connections, or a series of requests ending in error, such as multiple attempts to access non-existent URLs. These various triggers have differing minimum blacklist periods. To extend monitoring of these additional triggers to port 80, add the following entry to the locked.properties file:

insecureHandshakeDelay = delay_in_milliseconds

For example:

insecureHandshakeDelay = 1000

To disable blacklisting of HTTP connections, remove the insecureHandshakeDelay entry or set it to 0.