Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 5626 invoked from network); 3 Mar 2010 22:42:17 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 3 Mar 2010 22:42:17 -0000 Received: (qmail 57671 invoked by uid 500); 3 Mar 2010 22:42:08 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 57618 invoked by uid 500); 3 Mar 2010 22:42:08 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 57610 invoked by uid 99); 3 Mar 2010 22:42:08 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Mar 2010 22:42:08 +0000 X-ASF-Spam-Status: No, hits=-8.0 required=10.0 tests=RCVD_IN_DNSWL_HI,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of jorton@redhat.com designates 209.132.183.28 as permitted sender) Received: from [209.132.183.28] (HELO mx1.redhat.com) (209.132.183.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Mar 2010 22:42:01 +0000 Received: from int-mx04.intmail.prod.int.phx2.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.17]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o23Mfdb6025597 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Wed, 3 Mar 2010 17:41:39 -0500 Received: from turnip.manyfish.co.uk (vpn-9-48.rdu.redhat.com [10.11.9.48]) by int-mx04.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id o23Mfc88028511 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 3 Mar 2010 17:41:39 -0500 Received: from jorton by turnip.manyfish.co.uk with local (Exim 4.69) (envelope-from ) id 1NmxG5-0004WL-FX for dev@httpd.apache.org; Wed, 03 Mar 2010 22:41:37 +0000 Date: Wed, 3 Mar 2010 22:41:37 +0000 From: Joe Orton To: dev@httpd.apache.org Subject: Re: [vote] release 2.2.15? Message-ID: <20100303224137.GA15413@redhat.com> Mail-Followup-To: dev@httpd.apache.org References: <4B8CAB83.20902@rowe-clan.net> <4B8E8853.2050108@apache.org> <201003031850.25419.sf@sfritsch.de> <4B8EA429.7050908@rowe-clan.net> <4B8EAB08.4040303@oss-institute.org> <20100303220128.GA12139@redhat.com> <4B8EE0FB.6050401@apache.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <4B8EE0FB.6050401@apache.org> User-Agent: Mutt/1.5.20 (2009-08-17) Organization: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in UK and Wales under Company Registration No. 03798903 Directors: Michael Cunningham (USA), Brendan Lane (Ireland), Matt Parson (USA), Charlie Peters (USA) X-Scanned-By: MIMEDefang 2.67 on 10.5.11.17 On Wed, Mar 03, 2010 at 11:21:47PM +0100, Mladen Turk wrote: > SSLInsecureRenegotiation off > echo R | openssl-0.9.8m s_client .. disconnects > echo R | openssl-0.9.8k s_client .. hangs until ServerTimeout Ah, right, hmm. Yes, this is exactly as Bill says, the client is ignoring the alert and then the server is hanging until a read times out. This consumes exactly the same amount of server resources as the client doing nothing with the connection. I'm not sure why the connection is not being forcibly closed by the server in this case, but: a) it's certainly not a security issue b) real clients don't initiate reneg, so it's not a practical issue Regards, Joe