From 20b89c547fd9363154cc1ad1b69405abdee436ef Mon Sep 17 00:00:00 2001
From: Nick Bolton <nick@symless.com>
Date: Tue, 28 Apr 2026 12:34:38 +0100
Subject: [PATCH] fix(security): prevent potential DoS by removing blocking
 sleep in secureAccept

---
 src/lib/net/SecureSocket.cpp | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/src/lib/net/SecureSocket.cpp b/src/lib/net/SecureSocket.cpp
index 60c2b932a..3c1b559f7 100644
--- a/src/lib/net/SecureSocket.cpp
+++ b/src/lib/net/SecureSocket.cpp
@@ -413,13 +413,12 @@ int SecureSocket::secureAccept(int socket)
   checkResult(r, retry);
 
   if (isFatal()) {
-    // tell user and sleep so the socket isn't hammered.
+    // Never block here; this thread services every connected socket.
+    // Historically a 1s sleep let any failed handshake DoS all clients.
     LOG((CLOG_ERR "failed to accept secure socket"));
-    LOG((CLOG_WARN "client connection may not be secure"));
     m_secureReady = false;
-    ARCH->sleep(1);
     retry = 0;
-    return -1; // Failed, error out
+    return -1; // Fail
   }
 
   // If not fatal and no retry, state is good
@@ -441,7 +440,7 @@ int SecureSocket::secureAccept(int socket)
 
   // no good state exists here
   LOG((CLOG_ERR "unexpected state attempting to accept connection"));
-  return -1;
+  return -1; // Fail
 }
 
 int SecureSocket::secureConnect(int socket)