question about 2.4 availability
Hello httpd developers, Is there already a feel for when the 2.3.x will become the stable 2.4? Based on your experience(s) shall we assume that the duration of the beta will be the same as an alpha? Kind regards - Fred -- View this message in context: http://old.nabble.com/question-about-2.4-availability-tp30449440p30449440.html Sent from the Apache HTTP Server - Dev mailing list archive at Nabble.com.
Re: TLS renegotiation attack, mod_ssl and OpenSSL
Hi, Joe Orton wrote: > > On Tue, Nov 10, 2009 at 03:19:39PM +0100, Jean-Marc Desperrier wrote: >> Joe Orton wrote: >>> On Fri, Nov 06, 2009 at 12:00:06AM +, Joe Orton wrote: > On Thu, Nov 05, 2009 at 09:31:00PM +, Joe Orton wrote: > > > * we can detect in mod_ssl when the client is renegotiating by > using the > > > callback installed using SSL_CTX_set_info_callback(), in > conjunction > > > with suitable flags in the SSLConnRec to detect the cases where > this is > > > either a server-initiated renegotiation or the initial handshake > on the > > > connection. > > Here is a very rough first hack (for discussion/testing purposes only!): >>> A second hack, slightly less rough hack: >> >> Joe, instead of hard coding this, a very nice solution would be to have >> a new directive "SSLServerRenegociation Allow" or even more flexible >> "SSLRenegociation disabled/serveronly/enabled" with disabled as default >> value. > > Yes, sure. What is possible in mod_ssl will depend on what interfaces > OpenSSL will expose for this, which is not yet clear. > > Regards, Joe > > Now that 0.9.8m-beta1 is available, what is likely to happen with Apache 2.2.15? I looked at the svn tree, but I could not see if anyone was working on adding this excellent idea for a new directive SSLRenegociation disabled/serveronly/enabled. If the server does not require renegotiation it seems perfect if the apache closed the connection upon receipt of the R instead of the current 5 min (default) timeout wait. Thank you - Fred -- View this message in context: http://old.nabble.com/TLS-renegotiation-attack%2C-mod_ssl-and-OpenSSL-tp26215127p27328884.html Sent from the Apache HTTP Server - Dev mailing list archive at Nabble.com.
Re: mod_noloris: mitigating against slowloris-style attack
Hi Nick, I looked at the code (I am not a coder) and wondered what made you say "it's geared clearly to the very small server. " Rgds - Fred Nick Kew wrote: > > Stefan Fritsch wrote: >> Nick Kew wrote: >>> Is this worth hacking up, or more trouble than it saves? >> >> It seems it already exists (I haven't tested it, though): >> ftp://ftp.monshouwer.eu/pub/linux/mod_antiloris/mod_antiloris-0.3.tar.bz2 >> > Looks almost what I had in mind. But it's geared clearly to > the very small server. Which is, to be fair, exactly what's > most threatened by slowloris. I have a meeting now, but will > test-drive tonight. > > I see it's also Apache-licensed :-) > > -- > Nick Kew > > -- View this message in context: http://www.nabble.com/mod_noloris%3A-mitigating-against-slowloris-style-attack-tp24203476p24282962.html Sent from the Apache HTTP Server - Dev mailing list archive at Nabble.com.
mod_proxy_ajp and ssl
Hi: I have a rhetorical question for the developers of mod_proxy_ajp (and mod_jk). Assuming the tomcat ajp connector was able to accept ssl connections - if the apache httpd server and tomcat are on separate machines and you needed to secure the connection with ssl, would you get better performance (# of clients and throughput) by having a mod_proxy_ajp with ssl or implementing stunnel? in advance thank you for your answers... Fred -- View this message in context: http://www.nabble.com/mod_proxy_ajp-and-ssl-tf2467042.html#a6877692 Sent from the Apache HTTP Server - Dev mailing list archive at Nabble.com.