tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mladen Turk <mt...@apache.org>
Subject Re: APR Connector renegotiation fix
Date Thu, 12 Nov 2009 16:39:18 GMT
On 12/11/09 17:25, Filip Hanik - Dev Lists wrote:
>>
>> Note. Don't use 0.9.8l for testing cause that bugger will
>> block on renegotiation until socket timeout.
> This is actually not so bad. Since it's so easy to achieve the same DoS
> by simply sending a partial POST body, or partial GET request, and you
> have the same exposure to socket timeout.

Right, but this is different thing cause you don't have
any control over it because it's executed below layer 7 (sort of).

> Given the blocking nature of the servlet specification, DoS is always
> there, and it's very easy to simulate. Timeouts is the only protection.
>

Well even OpenSSL folks admitted that 0.9.8l wrongly approached
dealing to that issue. They even removed the
SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION flag from the 0.9.8 branch
and now they use SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION using
different tricks.

So IMHO 0.9.8l is simply dead end and shouldn't be used.

Regards
-- 
^TM


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message