On Thu, Feb 25, 2010, Victor Duchovni wrote: > > If I field a patched server, and sufficiently many unpatched pre-0.9.8m > OpenSSL clients attempt re-negotiation under normal conditions, I have > a resource starvation problem and unhappy users who are more annoyed at > stuck connections than failed ones. >
It would under normal circumstances (for some value of normal) require a specific request to renegotiate from the client code or setting of renegotiation values in an SSL BIO. I don't know how many clients do that: I suspect (and hope!) not many. > > Thanks for the suggested patch, I'll chat to our web-plant team to find > out which of the two non-optimal behaviours they are more comfortably > with. > An alternative which doesn't require modification of OpenSSL is to make use of the info callback which gets called when an alert is sent. That could be used to either just indicate the connection should be closed or (for example) set a smaller timeout value. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
