httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mladen Turk <mt...@apache.org>
Subject Re: [vote] release 2.2.15?
Date Wed, 03 Mar 2010 22:04:15 GMT
On 03/03/2010 10:34 PM, William A. Rowe Jr. wrote:
> On 3/3/2010 2:00 PM, Mladen Turk wrote:
>>
>> Right, and I'm afraid if SSLInsecureRenegotiation (default) isn't set
>> while compiled with 0.9.8m one can easily create an DoS attack.
>
> Stop.
>

Weather I stop or not it will not make that disappear :)

>
> Please don't abuse words like DoS to describe utilization.  Of course IE
> and Firefox, Opera and Safari are all DoS tools.  It's called consuming
> server resources :)
>

while [ true ];
do
echo R | openssl s_client -connect host:port &
done

Not only it will kill the server, but it will kill your box as well :)

Seriously, I was hoping 0.9.8m will reject legacy clients,
unless explicitly SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is set,
but it seems that's not the case or we are doing something wrong in mod_ssl.


Regards
-- 
^TM

Mime
View raw message