httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hartmut Keil <>
Subject Re: handling request splicing in case of server initiated renegotiation CVE-2009-3555
Date Tue, 17 Nov 2009 17:12:41 GMT
Joe Orton wrote:
> On Tue, Nov 17, 2009 at 11:42:40AM +0100, Hartmut Keil wrote:
>> Joe Orton wrote:
>>> This would break HTTP pipelining over SSL (for affected configurations), 
>>> and it might not fail gracefully - the server would appear to simply 
>>> never receive the pipelined requests.  I'm relucant to do that.
>> No, the proposed change would just affect to buffering-optimization in 
>> ssl_io_input_getline(...). Pipelining HTTP over SSL does not required, 
>> to decrypt/buffer more data then needed.
> I don't follow this.  The second request injected by the attacker in the 
> example you give is a pipelined HTTP request, and your proposal is to 
> drop such a request exactly because it was pipelined (the client did not 
> stop and wait for the response before sending it).  What am I missing?

The client must stop and wait for the response in any case, otherwise the
response of a subsequent request will get lost, if the server is not configured
for keep-alive, or the response for the first request causes the server to close
the connection:

client is sending two requests:
GET /one HTTP/1.1

GET /two HTTP/1.1

server is sending the response for the first request, and is closing the connection
HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked


AdNovum Informatik AG
Hartmut Keil, Senior Software Engineer
Dipl. Physiker

Roentgenstrasse 22, CH-8005 Zurich
phone: +41 44 272 6111, fax: +41 44 272 6312

AdNovum Locations: Bern, Budapest, San Mateo, Zurich (HQ)

View raw message