On 3/3/2010 4:04 PM, Mladen Turk wrote: > > while [ true ]; > do > echo R | openssl s_client -connect host:port & > done > > Not only it will kill the server, but it will kill your box as well :)
That's what IP tables is for. It's no different than > while [ true ]; > do > echo "OPTIONS * HTTP/1.1" | openssl s_client -connect host:port & > done demonstrating that your DoS concern is unfounded. The hang *does* timeout, doesn't it? I'm not arguing against a fix, I'm disputing your allegation of a DoS. > Seriously, I was hoping 0.9.8m will reject legacy clients, > unless explicitly SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is set, > but it seems that's not the case or we are doing something wrong in > mod_ssl. It rejects the renegotation. It is the callers responsibility to continue or die. Dr Henson's suggested approach is that we drop the timeout to some 5 seconds or less, in this case, until they resume the connection. Assorted clients are known to trigger a renegotiation periodically (expired their session?) and to not die but alert-and-continue helps this phone-browser world.