At 09:53 PM 12/25/2004, Joe Orton wrote:
>This bug was filed a long time ago...
>
>http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12355
Here's an overview, theory wise - comments welcome, apreq2 hackers
might be especially interested in my take on the situation;
Some general comments; renegotiation can only occur at a point
where the server is not expecting data from the client. At the
point where the client is sending some information to the server,
it is more challenging to start a renegotiation sequence and to
avoid baffling the client (at least, this is my understanding.)
HTTP/1.0
the 'classic' HTTP/1.0 handling -must- buffer the body if the connection
will be renegotiated. This should no longer be handled inside the mod_ssl
module itself, by itself. With the advent of filters, either apreq2 or
another 'client buffer' module must be implemented. The logic looks like;
client brigade read loop
mem_body > max_memory_body ?
create tmpfile if tmpfile isnull
response 'failure' if total_body > max_buffer_body
write body -> tmpfile
reopen tmpfile read-only
insert tmpfile bucket of tmpfile prior to remaining mem_body buckets.
now we have two controls that would prevent DoS attacks present in the
original fix proposed (unbounded growth of the body), one for memory
and one for disk-based storage. Remember, the renegotiation would
NOT determine the client certificate is valid until after these
resources had been consumed by a nefarious client.
I rather like the idea of apreq2 doing this work, and actually, integrating
apreq2 as a 'stock' apache2 module. apreq2 does nothing until some module
in the server configuration wants to use its services.
HTTP/1.1 + client Expect: 100-continue
http://rfc.net/rfc2616.html#s8.2.3
Clients which truly pause for 100-continue would be satisfied with no
buffering of the body. Schedule the renegotation prior to sending the
100 CONTINUE response.
Finally note that this is not specific to POST, it's generic to all HTTP
methods which contain a client body. The headers may be inspected to
determine if the client is attempting to push a body with the request.
Comments?
