tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filip Hanik - Dev Lists <devli...@hanik.com>
Subject Re: APR Connector renegotiation fix
Date Thu, 12 Nov 2009 16:25:31 GMT
On 11/12/2009 04:34 AM, Mladen Turk wrote:
> Hi,
>
> Just made the fix by modifying the mod_ssl patch
> so that connection gets closed on R.
>
> Problem with OpenSSL 0.9.8l that it has renegotiation
> disabled and that it gets blocked in 'R' thus making
> it a potential DoS (much worse then actual R) so
> I'd suggest we don't use it and create immediate release
> of 1.1.18 with the fix.
>
> Please test the trunk or apply the patches to 1.1.x
> (even better vote with +1 :)
>
> Note. Don't use 0.9.8l for testing cause that bugger will
> block on renegotiation until socket timeout.
This is actually not so bad. Since it's so easy to achieve the same DoS 
by simply sending a partial POST body, or partial GET request, and you 
have the same exposure to socket timeout.
Given the blocking nature of the servlet specification, DoS is always 
there, and it's very easy to simulate. Timeouts is the only protection.

filip
>
> Regards


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message