Joe Orton wrote:
> On Tue, Nov 17, 2009 at 06:12:41PM +0100, Hartmut Keil wrote:
>> The client must stop and wait for the response in any case, otherwise the
>> response of a subsequent request will get lost, if the server is not configured
>> for keep-alive, or the response for the first request causes the server to close
>> the connection:
>
> It's not the case that clients "must stop and wait" - read RFC 2616 for
> a description of HTTP pipelining.
Your right, I missed that point.
According http://www.w3.org/Protocols/rfc2616/rfc2616-sec8.html#sec8.1.2.2
"...Clients MUST also be prepared to resend their requests if the server closes the connection
before sending all
of the corresponding responses. ...."
we are allowed to close the keepalive connection, after sending the response.
With the proposed change, we prevent request splitting attacks based on the TSL renegotiation
flaw. From
my point of view without drawbacks, since 'pipelining' clients must handle the closing of
a connection after
a complete response in any case.
Regards
Hartmut
--- ssl_engine_io.c.patched 2009-11-16 10:57:23.416525000 +0100
+++ ssl_engine_io.c 2009-11-19 15:52:28.852264000 +0100
@@ -478,6 +478,13 @@
inctx->rc = APR_ECONNABORTED;
return -1;
}
+ /* Clear buffer with decrypted data if the server has initiated a renegotiation.*/
+ if (inctx->filter_ctx->config->reneg_state == RENEG_ALLOW) {
+ char_buffer_write(&inctx->cbuf, NULL, 0);
+ /* disable keep alive */
+ conn_rec *c = (conn_rec *)SSL_get_app_data(inctx->filter_ctx->pssl);
+ c->keepalive = AP_CONN_CLOSE;
+ }
/* XXX: flush here only required for SSLv2;
* OpenSSL calls BIO_flush() at the appropriate times for
>
> Regards, Joe
>
--
AdNovum Informatik AG
Hartmut Keil, Senior Software Engineer
Dipl. Physiker
Roentgenstrasse 22, CH-8005 Zurich
mailto:hartmut.keil@adnovum.ch
phone: +41 44 272 6111, fax: +41 44 272 6312
http://www.adnovum.ch
AdNovum Locations: Bern, Budapest, San Mateo, Zurich (HQ)
|