On Tue, Aug 19, 2014 at 9:25 AM, Lieven Govaerts <l...@mobsol.be> wrote:
There's a bug in OpenSSL's SSL renegotiation algorithm. When it's > initiated by the server to request a client certificate, it'll fail > when on the connection pipelined requests are incoming at the server > side. > > Short summary of the root cause: during renegotiation, OpenSSL reads > data from the TCP connection expecting it to be a proper client > certificate. However, if an HTTP request was still pending on the > connection or in the server's receive buffer, OpenSSL will read that > request's data, recognise its not a proper client certificate, discard > the data and report an error. Apache will then abort the connection in > response to that OpenSSL error. > > Given that there's no fix planned in OpenSSL, the only available > mitigation is to disable HTTP pipelining on connections where a SSL > renegotiation can happen. Since that depends on the configuration of > the server, we can't really know or predict when such renegotiation > will happen. > > Conclusion: give the user the option to disable HTTP pipelining, which > she can use in case of problems caused by renegotiation. > Attached patch implements just that. > > Objections anyone? Other remarks? > > I assume it is not possible for Serf to know that it is using client connections and disable it automatically? I assume this problem does not happen all the time? How does it manifest currently? What error does user see. We have a few customers that use client certificates, and AFAIK, they have been using SVN 1.8 OK. -- Thanks Mark Phippard http://markphip.blogspot.com/
