httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: handling request splicing in case of server initiated renegotiation CVE-2009-3555
Date Tue, 17 Nov 2009 13:08:12 GMT
On Tue, Nov 17, 2009 at 11:42:40AM +0100, Hartmut Keil wrote:
> Joe Orton wrote:
> > This would break HTTP pipelining over SSL (for affected configurations), 
> > and it might not fail gracefully - the server would appear to simply 
> > never receive the pipelined requests.  I'm relucant to do that.
> 
> No, the proposed change would just affect to buffering-optimization in 
> ssl_io_input_getline(...). Pipelining HTTP over SSL does not required, 
> to decrypt/buffer more data then needed.

I don't follow this.  The second request injected by the attacker in the 
example you give is a pipelined HTTP request, and your proposal is to 
drop such a request exactly because it was pipelined (the client did not 
stop and wait for the response before sending it).  What am I missing?

Regards, Joe

Mime
View raw message