httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Doug MacEachern <do...@covalent.net>
Subject Re: [PATCH] SSL, POST, and renegotiation
Date Tue, 11 Jun 2002 03:18:04 GMT
try with current cvs and 'SSLOptions +OptRenegotiate' configured.
with this option enabled, modssl will use the client cert from the ssl 
session cache if one was not already sent by the client.  in this case, 
modssl will not need to read from the client since full renegotiation is 
by-passed.  this of course requires that you have SSLSessionCache of some 
sort enabled.  and that your client either sends a cert automatically or 
is first requested to send one during a GET request, from which point the 
cert will be in the session cache when any POST happens afterwards.

as for supporting POST where client cert is required on a per-location 
basis and OptRenegotiate is not enabled, i think any solution will be 
very painful to get right.  when POST data is small, setting it aside in 
memory isn't so bad, but allowing large POSTs before the client has 
actually been authenticated leaves open potential DOS attacks.  saving 
large POSTs to disk would likely  result in more potential badness.



Mime
View raw message