httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@six-group.com>
Subject RE: TLS renegotiation attack, mod_ssl and OpenSSL
Date Mon, 09 Nov 2009 09:39:39 GMT
> -----Original Message-----
> From: Dirk-Willem van Gulik [mailto:dirkx@webweaving.org] 
> Sent: Saturday, November 07, 2009 12:28 AM
> To: dev@httpd.apache.org
> Subject: Re: TLS renegotiation attack, mod_ssl and OpenSSL
> 
> +1 from me. (FreeBSD, Solaris). Test with and without certs (firefox, 
> safari, openssl tool). Tested with renegotion break script openssl.

Can I just verify what is supposed to happen with the break script test?

I have built 2.2.14 with 0.9.8l on Solaris 10. I do:

	$ openssl -connect wibble:443
	...
	GET / HTTP/1.1  =20
	Host:wibble
	R
	RENEGOTIATING

Then the connection hangs and I get no further data back from the
server. On http://wibble/server-status, I see:

	6-0 17718 0/1/1 R 0.14 31 90 0.0 0.00 0.00 ? ? ..reading..

Is this the intended behaviour? I thought it was supposed to drop the
connection?

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 
 
This message is for the named person's use only. It may contain confidential, proprietary
or legally privileged information. If you receive this message in error, please notify the
sender urgently and then immediately delete the message and any copies of it from your system.
Please also immediately destroy any hardcopies of the message. 
The sender's company reserves the right to monitor all e-mail communications through their
networks.

Mime
View raw message