Handshake timer

Certain configuration or application protocol mismatches can lead to stalled connections. The TLS handshake protocol always expects the end of the connection configured as HandshakeRole Client to send the first message. One connection stall scenario results when both ends of the connection are configured as HandshakeRole Server and wait for a ClientHello record from the other end. Another connection stall scenario results when the end of the connection that normally sends the first application data is configured as HandshakeRole Server, but the partner application is not configured to use a secure connection. The HandshakeRole Server end is waiting for a ClientHello, and the nonsecure end is waiting for application data.

You can use the HandshakeTimer action parameter to control the time that AT-TLS should wait during TLS handshake negotiation before resetting the connection. AT-TLS times two different handshake intervals, handshake start and handshake completion. The handshake start interval is intended to detect configuration problems that result in neither partner sending data. The handshake completion interval is intended to detect problems that might stall a handshake in one of the TLS protocol implementations.

The handshake start interval begins when AT-TLS is ready to begin a TLS handshake, and ends when the hello handshake record is received from the partner. On the initiating or active side of the connection, the handshake start interval used is five times the specified HandshakeTimer value, because it includes:

The network time for the ClientHello record to reach the partner if HandshakeRole is Client.
The time a connection spends on the partner’s listen backlog.
The time before the partner causes the connection to be mapped.
The time spent on the partner AT-TLS work queue.
The time spent by the partner initializing a new System SSL environment, if necessary.
The network time for the partner’s ServerHello or ClientHello record to be returned.

On the listening or passive side of the connection, the handshake start interval used is the specified HandshakeTimer value, because it includes only the network time for one or both hello records. Handshake start interval timeouts result in AT-TLS return code 5004 and a connection reset.

The handshake completion interval begins when the hello handshake record is received from the partner, and ends when the System SSL gsk_secure_connection_init() service returns to AT-TLS. The handshake completion interval used is the specified HandshakeTimer value on either active or passive connections. Handshake completion interval timeouts result in AT-TLS return code 5005 and a connection reset.

The HandshakeTimer action parameter has a default value of 10 seconds. If you determine that you are getting handshake time-outs that are caused by network delays or application workload rather than configuration or application errors, you should increase the value. On the other hand, if you determine that handshakes normally complete much faster in your environment and you would like to detect the occasional incorrectly configured partner more quickly, you can decrease the value.