On 12/11/09 17:25, Filip Hanik - Dev Lists wrote:
Note. Don't use 0.9.8l for testing cause that bugger will
block on renegotiation until socket timeout.
This is actually not so bad. Since it's so easy to achieve the same DoS
by simply sending a partial POST body, or partial GET request, and you
have the same exposure to socket timeout.
Right, but this is different thing cause you don't have
any control over it because it's executed below layer 7 (sort of).
Given the blocking nature of the servlet specification, DoS is always
there, and it's very easy to simulate. Timeouts is the only protection.
Well even OpenSSL folks admitted that 0.9.8l wrongly approached
dealing to that issue. They even removed the
SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION flag from the 0.9.8 branch
and now they use SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION using
different tricks.
So IMHO 0.9.8l is simply dead end and shouldn't be used.
Regards
--
^TM
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
