On Wed, Mar 03, 2010 at 11:21:47PM +0100, Mladen Turk wrote: > SSLInsecureRenegotiation off > echo R | openssl-0.9.8m s_client .. disconnects > echo R | openssl-0.9.8k s_client .. hangs until ServerTimeout
Ah, right, hmm. Yes, this is exactly as Bill says, the client is ignoring the alert and then the server is hanging until a read times out. This consumes exactly the same amount of server resources as the client doing nothing with the connection. I'm not sure why the connection is not being forcibly closed by the server in this case, but: a) it's certainly not a security issue b) real clients don't initiate reneg, so it's not a practical issue Regards, Joe