On 11/12/2009 04:34 AM, Mladen Turk wrote:
Hi,
Just made the fix by modifying the mod_ssl patch
so that connection gets closed on R.
Problem with OpenSSL 0.9.8l that it has renegotiation
disabled and that it gets blocked in 'R' thus making
it a potential DoS (much worse then actual R) so
I'd suggest we don't use it and create immediate release
of 1.1.18 with the fix.
Please test the trunk or apply the patches to 1.1.x
(even better vote with +1 :)
Note. Don't use 0.9.8l for testing cause that bugger will
block on renegotiation until socket timeout.
This is actually not so bad. Since it's so easy to achieve the same DoS
by simply sending a partial POST body, or partial GET request, and you
have the same exposure to socket timeout.
Given the blocking nature of the servlet specification, DoS is always
there, and it's very easy to simulate. Timeouts is the only protection.
filip
Regards
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
