On Sat, 16 Apr 2011, Eric Covener wrote:
would mod_reqtimeout step in after too many renegotiations had eaten too much wall time?
Whenever mod_ssl reads data from the client, mod_reqtimeout will check the configured timeouts. It is possible that the data sent during reneg may prevent the "minimum required data rate" feature from triggering, but maximum timeouts will always be enforced.
The attacker can just create new connections, though.
