httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: [vote] release 2.2.15?
Date Mon, 22 Mar 2010 04:32:39 GMT
On 3/3/2010 4:41 PM, Joe Orton wrote:
> On Wed, Mar 03, 2010 at 11:21:47PM +0100, Mladen Turk wrote:
>> SSLInsecureRenegotiation off
>> echo R | openssl-0.9.8m s_client  .. disconnects
>> echo R | openssl-0.9.8k s_client  .. hangs until ServerTimeout
> 
> Ah, right, hmm.  Yes, this is exactly as Bill says, the client is 
> ignoring the alert and then the server is hanging until a read times 
> out.  This consumes exactly the same amount of server resources as the 
> client doing nothing with the connection.
> 
> I'm not sure why the connection is not being forcibly closed by the 
> server in this case, but:
> 
> a) it's certainly not a security issue
> b) real clients don't initiate reneg, so it's not a practical issue

You were incorrect in your statement b) above;

  http://marc.info/?l=openssl-dev&m=125873536926916&w=2

suggests real (handheld/phone) implementations that do this (or perhaps it
was really their proxy/gateway).

Mime
View raw message