Joe Orton wrote: > On Tue, Nov 17, 2009 at 11:42:40AM +0100, Hartmut Keil wrote: >> Joe Orton wrote: >>> This would break HTTP pipelining over SSL (for affected configurations), >>> and it might not fail gracefully - the server would appear to simply >>> never receive the pipelined requests. I'm relucant to do that. >> No, the proposed change would just affect to buffering-optimization in >> ssl_io_input_getline(...). Pipelining HTTP over SSL does not required, >> to decrypt/buffer more data then needed. > > I don't follow this. The second request injected by the attacker in the > example you give is a pipelined HTTP request, and your proposal is to > drop such a request exactly because it was pipelined (the client did not > stop and wait for the response before sending it). What am I missing? >
The client must stop and wait for the response in any case, otherwise the response of a subsequent request will get lost, if the server is not configured for keep-alive, or the response for the first request causes the server to close the connection: client is sending two requests: GET /one HTTP/1.1 Host:.... GET /two HTTP/1.1 Host:.... server is sending the response for the first request, and is closing the connection HTTP/1.1 200 OK Connection: close Transfer-Encoding: chunked .... Regards Hartmut -- AdNovum Informatik AG Hartmut Keil, Senior Software Engineer Dipl. Physiker Roentgenstrasse 22, CH-8005 Zurich mailto:hartmut.k...@adnovum.ch phone: +41 44 272 6111, fax: +41 44 272 6312 http://www.adnovum.ch AdNovum Locations: Bern, Budapest, San Mateo, Zurich (HQ)