[Bug 59970] New: DoS with a single TLS connection on windows

bugzilla Thu, 11 Aug 2016 00:57:07 -0700

https://bz.apache.org/bugzilla/show_bug.cgi?id=59970


            Bug ID: 59970
           Summary: DoS with a single TLS connection on windows
           Product: Apache httpd-2
           Version: 2.4.23
          Hardware: PC
            Status: NEW
          Severity: major
          Priority: P2
         Component: Platform
          Assignee: [email protected]
          Reporter: [email protected]

I'm a software developer at ESET and I believe I've found a bug in Apache
running on Windows (but not on Linux) that presents both a compatibility issue
between ESET line of security products and a huge potential for DoS of Apache.
The simplest way to demonstrate this is
1. Download http://de.apachehaus.com/downloads/httpd-2.4.23-x86-vc11.zip, unzip
2. Run httpd.exe
3. Verify that https://127.0.0.1 loads (proceed despite certificate warnings)
4. Run nc 127.0.0.1 443
5. Open https://127.0.0.1 again
6. Observe that the page loads for basically forever
7. Kill nc, observe that the page loads shortly after

This leads me to believe that holding a single https connection open to Apache
running on Windows without sending client hello is enough to prevent the server
from responding to any new connections. Can you please investigate?

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[Bug 59970] New: DoS with a single TLS connection on windows

Reply via email to