https://issues.apache.org/bugzilla/show_bug.cgi?id=52557
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #5 from Mark Thomas <ma...@apache.org> 2012-01-30 10:29:17 UTC ---
curl is re-using cnonce values without incrementing the nonce-count as required
by RFC2617. You can see this with the following access log configuration:
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b %{authorization}i" />
Since this appears to be a replay attack, Tomcat correctly rejects the
requests.
It looks like curl changes the cnonce every second but never changes the nonce
count which is why you only see failures when the delay is less than one second
and also why the percentage of failures increases as the loop gets tighter.
There is a bug here but it is in curl, not Tomcat.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
