{"id":38886087,"url":"https://github.com/shaj13/tlslimit","last_synced_at":"2026-01-17T14:47:03.906Z","repository":{"id":62153744,"uuid":"557842303","full_name":"shaj13/tlslimit","owner":"shaj13","description":"Limiting the rate of TLS handshakes ","archived":false,"fork":false,"pushed_at":"2022-10-30T00:05:13.000Z","size":7,"stargazers_count":10,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-06-21T11:01:59.274Z","etag":null,"topics":["attack-defense","ddos","go","golang","mitigation","rate-limiter","rate-limiting","ssl","tls","token-bucket"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/shaj13.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-10-26T12:09:32.000Z","updated_at":"2024-06-21T11:01:59.275Z","dependencies_parsed_at":"2022-10-27T11:45:28.782Z","dependency_job_id":null,"html_url":"https://github.com/shaj13/tlslimit","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/shaj13/tlslimit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shaj13%2Ftlslimit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shaj13%2Ftlslimit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shaj13%2Ftlslimit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shaj13%2Ftlslimit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/shaj13","download_url":"https://codeload.github.com/shaj13/tlslimit/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shaj13%2Ftlslimit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28510905,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-17T13:38:16.342Z","status":"ssl_error","status_checked_at":"2026-01-17T13:37:44.060Z","response_time":85,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["attack-defense","ddos","go","golang","mitigation","rate-limiter","rate-limiting","ssl","tls","token-bucket"],"created_at":"2026-01-17T14:47:03.848Z","updated_at":"2026-01-17T14:47:03.896Z","avatar_url":"https://github.com/shaj13.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![PkgGoDev](https://pkg.go.dev/badge/github.com/shaj13/tlslimit)](https://pkg.go.dev/github.com/shaj13/tlslimit)\n[![Go Report Card](https://goreportcard.com/badge/github.com/shaj13/tlslimit)](https://goreportcard.com/report/github.com/shaj13/tlslimit)\n[![Coverage Status](https://coveralls.io/repos/github/shaj13/tlslimit/badge.svg?branch=main)](https://coveralls.io/github/shaj13/tlslimit?branch=main)\n[![CircleCI](https://circleci.com/gh/shaj13/tlslimit/tree/main.svg?style=svg)](https://circleci.com/gh/shaj13/env/tree/main)\n\n# TLSLimit\nLimiting the rate of TLS handshakes.\n\n## Motivation\nWhen a client send a request, the server must invest some of its precious CPU cycles into responding to that client, In the case of a secured request, the investment is substantial because of the involved cryptography in TLS handshakes. \n\nApplication layer rate limits would not prevent CPU overload because they work after TLS termination, same for [limiting the number of simultaneous connections](https://pkg.go.dev/golang.org/x/net/netutil) because the attacker or user can keep sending new requests using new connections that trigger TLS handshakes again and again.\n\nFor example see gitlab production [incident](https://gitlab.com/gitlab-com/gl-infra/production/-/issues/6769) caused by TLS handshakes.\n\nTLSLimit is here to help with that, It provides a rate limiter to fewer expensive TLS handshakes, mitigates SSL/TLS exhaustion DDoS attacks, and an overall reduction in required server resources without affecting the overall number of concurrent requests that the server can handle.\n\n## Installation \nUsing tlslimit is easy. First, use go get to install the latest version of the library.\n\n```sh\ngo get github.com/shaj13/tlslimit\n```\nNext, include tlslimit in your application:\n```go\nimport (\n    \"github.com/shaj13/tlslimit\"\n)\n```\n\n## Usage\n```go\npackage main\n\nimport (\n\t\"crypto/tls\"\n\t\"net/http\"\n\t\"time\"\n\n\t\"github.com/shaj13/tlslimit\"\n)\n\nfunc main() {\n\t// Declare the actual callbacks to retrieve the server certificate\n\t// you don't need both callbacks, choose the one that suits your application needs.\n\t//\n\t// Most callers prefer the GetCertificate.\n\n\tgetCert := func(ci *tls.ClientHelloInfo) (*tls.Certificate, error) {\n\t\t// Return actual certificate.\n\t\treturn nil, nil\n\t}\n\n\tgetConfig := func(ci *tls.ClientHelloInfo) (*tls.Config, error) {\n\t\t// Return actual config.\n\t\treturn nil, nil\n\t}\n\n\t// Define a Limiter to enforce TLS rate limiting.\n\t// To prevent a client from exhausting application resources\n\t// and mitigates SSL/TLS exhaustion DDoS attacks.\n\t//\n\t// For Example Allow 20 TLS handshakes per minute for each client IP.\n\tlim := tlslimit.NewLimiter(\n\t\ttlslimit.WithBursts(20),\n\t\ttlslimit.WithLimit(time.Minute),\n\t\ttlslimit.WithTLSClientIP(),\n\t\t// Use WithGetCertificate or WithGetConfigForClient\n\t\ttlslimit.WithGetCertificate(getCert),\n\t\ttlslimit.WithGetConfigForClient(getConfig),\n\t)\n\n\t// Tie the Limiter to the tls.Config.\n\tcfg := \u0026tls.Config{\n\t\t// Use GetCertificate or GetConfigForClient\n\t\tGetCertificate:     lim.GetCertificate,\n\t\tGetConfigForClient: lim.GetConfigForClient,\n\t\tMinVersion:         tls.VersionTLS13,\n\t}\n\n\tsrv := http.Server{\n\t\tTLSConfig: cfg,\n\t}\n\n\t_ = srv.ListenAndServeTLS(\"\", \"\")\n}\n```\n\n# Contributing\n1. Fork it\n2. Download your fork to your PC (`git clone https://github.com/your_username/tlslimit \u0026\u0026 cd env`)\n3. Create your feature branch (`git checkout -b my-new-feature`)\n4. Make changes and add them (`git add .`)\n5. Commit your changes (`git commit -m 'Add some feature'`)\n6. Push to the branch (`git push origin my-new-feature`)\n7. Create new pull request\n\n# License\ntlslimit is released under the MIT license. See [LICENSE](https://github.com/shaj13/tlslimit/blob/main/LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshaj13%2Ftlslimit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fshaj13%2Ftlslimit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshaj13%2Ftlslimit/lists"}