httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <>
Subject Re: [vote] release 2.2.15?
Date Wed, 03 Mar 2010 22:41:37 GMT
On Wed, Mar 03, 2010 at 11:21:47PM +0100, Mladen Turk wrote:
> SSLInsecureRenegotiation off
> echo R | openssl-0.9.8m s_client  .. disconnects
> echo R | openssl-0.9.8k s_client  .. hangs until ServerTimeout

Ah, right, hmm.  Yes, this is exactly as Bill says, the client is 
ignoring the alert and then the server is hanging until a read times 
out.  This consumes exactly the same amount of server resources as the 
client doing nothing with the connection.

I'm not sure why the connection is not being forcibly closed by the 
server in this case, but:

a) it's certainly not a security issue
b) real clients don't initiate reneg, so it's not a practical issue

Regards, Joe

View raw message