Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 77208 invoked from network); 19 Nov 2009 09:31:10 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 19 Nov 2009 09:31:10 -0000 Received: (qmail 39005 invoked by uid 500); 19 Nov 2009 09:31:09 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 38933 invoked by uid 500); 19 Nov 2009 09:31:09 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 38924 invoked by uid 99); 19 Nov 2009 09:31:09 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 19 Nov 2009 09:31:09 +0000 X-ASF-Spam-Status: No, hits=-5.6 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_MED X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of jorton@redhat.com designates 209.132.183.28 as permitted sender) Received: from [209.132.183.28] (HELO mx1.redhat.com) (209.132.183.28) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 19 Nov 2009 09:31:06 +0000 Received: from int-mx03.intmail.prod.int.phx2.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id nAJ9UjYj016978 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Thu, 19 Nov 2009 04:30:45 -0500 Received: from turnip.manyfish.co.uk (vpn-10-66.rdu.redhat.com [10.11.10.66]) by int-mx03.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id nAJ9Ug50023206 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 19 Nov 2009 04:30:43 -0500 Received: from jorton by turnip.manyfish.co.uk with local (Exim 4.69) (envelope-from ) id 1NB3Ld-0002Po-IT for dev@httpd.apache.org; Thu, 19 Nov 2009 09:30:41 +0000 Date: Thu, 19 Nov 2009 09:30:41 +0000 From: Joe Orton To: dev@httpd.apache.org Subject: Re: handling request splicing in case of server initiated renegotiation CVE-2009-3555 Message-ID: <20091119093041.GA9262@redhat.com> Mail-Followup-To: dev@httpd.apache.org References: <4B01BD20.1060300@adnovum.ch> <20091116221903.GB18036@redhat.com> <4B027E20.2030200@adnovum.ch> <20091117130812.GB29064@redhat.com> <4B02D989.1070604@adnovum.ch> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <4B02D989.1070604@adnovum.ch> User-Agent: Mutt/1.5.19 (2009-01-05) Organization: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in UK and Wales under Company Registration No. 03798903 Directors: Michael Cunningham (USA), Brendan Lane (Ireland), Matt Parson (USA), Charlie Peters (USA) X-Scanned-By: MIMEDefang 2.67 on 10.5.11.16 On Tue, Nov 17, 2009 at 06:12:41PM +0100, Hartmut Keil wrote: > The client must stop and wait for the response in any case, otherwise the > response of a subsequent request will get lost, if the server is not configured > for keep-alive, or the response for the first request causes the server to close > the connection: It's not the case that clients "must stop and wait" - read RFC 2616 for a description of HTTP pipelining. Regards, Joe