TLS handshakes on port 443 must complete within a configurable period, otherwise they will be forcibly terminated. By default, this period is 10 seconds. If smart card authentication is enabled, TLS handshakes on port 443 can complete within 100 seconds.
If required, you can adjust the time for TLS handshakes on port 443 by adding the following property to the
handshakeLifetime = lifetime_in_seconds
handshakeLifetime = 20
Optionally, the client that is responsible for an over-running TLS handshake can be automatically added to a blacklist. New connections from blacklisted clients are delayed for a configurable period before being processed so that connections from other clients take priority. You can enable this feature by adding the following property to the
secureHandshakeDelay = delay_in_milliseconds
secureHandshakeDelay = 2000
To disable blacklisting of HTTPS connections, remove the
secureHandshakeDelay entry or set it to 0.
The IP address of a misbehaving client is added to the blacklist for a minimum period equal to the sum of
Using the values in the examples above, the IP address of a misbehaving client is 22 seconds
(20 * 1000) + 2000 = 22 seconds
The minimum period is extended each time a connection from the same IP address misbehaves. The IP address is removed from the blacklist after the minimum period has expired and after the last delayed connection from that IP address has been processed.
A TLS handshake over-run is not the only reason to blacklist a client. Other reasons include a series of abandoned connections, or a series of requests ending in error, such as multiple attempts to access non-existent URLs. These various triggers have differing minimum blacklist periods. To extend monitoring of these additional triggers to port 80, add the following entry to the
insecureHandshakeDelay = delay_in_milliseconds
insecureHandshakeDelay = 1000
To disable blacklisting of HTTP connections, remove the
insecureHandshakeDelay entry or set it to 0.