There may be a way around this problem now, but really, to make SKS good at
this kind of situation,s omeone needs to port SKS to a concurrency library
like LWT or Async. That will make it much easier to deal with these
problems, and to be able to handle multiple concurrent clients properly.
John Clizbe writes:
Oddly, I was looking at a different problem last night and noticed this
snippet appearing twice in wserver.ml:
188-189
let rec parse_headers map cin =
let line = input_line cin in (* DOS attack: input_line is unsafe on
sockets *)
201-202
let parse_request cin =
Daniel Kahn Gillmor wrote:
Fix?
I'm afraid i don't know ocaml at all, so i don't have a proposed fix.
It seems to be related to the event loop model on the sks db process,
though. Looking at it from a system call level: either sks should be
multi-threaded, or reads from network sockets
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1,SHA256
Johan van Selst wrote:
Daniel Kahn Gillmor wrote:
Fix?
I'm afraid i don't know ocaml at all, so i don't have a proposed fix.
It seems to be related to the event loop model on the sks db process,
though. Looking at it from a system
On 03/25/2012 05:53 PM, Kristian Fiskerstrand wrote:
Did a few more changes[0] to speed up the IP lookup process, and
included adding IPv6 for some subset pools (including the HA one)
Hm, just looking for the regular IPv4 A records for the HA pool from
different authoritative nameservers
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 26.03.2012 00:46, Daniel Kahn Gillmor wrote:
On 03/25/2012 05:53 PM, Kristian Fiskerstrand wrote:
Did a few more changes[0] to speed up the IP lookup process, and
included adding IPv6 for some subset pools (including the HA
one)
Hm, just
-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160
On 2012-03-19 at 21:11 +0100, Kristian Fiskerstrand wrote:
Here you go!
Added ha.pool. The HTTP Server code is available at e.g.
http://sks-keyservers.net/status/info/keys.kfwebs.net . Atm I'm only
including nginx servers in the subset.
On 03/21/2012 08:08 AM, Phil Pennock wrote:
For nginx, if you listen on a port and only have one vhost, with no
default_server, will all requests for that hostname go to this server
spec?
I believe they will, yes. keys.mayfirst.org is also known as
zimmermann.mayfirst.org (and as
Hi,
I'm trying to do the proxy-stuff with apache2. On first sight,
it seems to work well:
VirtualHost 109.230.243.87:11371
ServerName keys.wuschelpuschel.org
ServerAdmin pe...@wuschelpuschel.org
Proxy *
Order deny,allow
Allow from all
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1,SHA256
Peter Kornherr wrote:
Sorry, I forgot to mention the sks log entry for that request:
2012-03-20 23:19:18 Miscellaneous error: Failure(parse_post failed for lack
of a content-length header)
Is this a client problem or a matter of my
On Tue, Mar 20, 2012 at 11:45:50PM +0100, Peter Kornherr wrote:
Sorry, forgot to mention the sks log entry for that request:
2012-03-20 23:19:18 Miscellaneous error: Failure(parse_post failed for lack of
a content-length header)
--pk
signature.asc
Description: Digital signature
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 19.03.2012 02:25, Daniel Kahn Gillmor wrote:
On 03/18/2012 10:36 AM, MailFighter.net Admin wrote:
...
So my nginx configuration stanzas are:
Thank you for the recommendation and the configuration example.
keys.kfwebs.net should be running a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 19.03.2012 18:24, Daniel Kahn Gillmor wrote:
On 03/19/2012 07:38 AM, Kristian Fiskerstrand wrote:
On 19.03.2012 02:25, Daniel Kahn Gillmor wrote:
...
If there was an ha-pool.sks-keyservers.net , i would be very happy
to use it instead of
On 03/19/2012 04:11 PM, Kristian Fiskerstrand wrote:
Here you go!
Added ha.pool. The HTTP Server code is available at e.g.
http://sks-keyservers.net/status/info/keys.kfwebs.net . Atm I'm only
including nginx servers in the subset.
Wow, very speedy -- thanks, Kristian! Works for me.
I think
On 03/18/2012 09:46 PM, John Clizbe wrote:
The default setting for wserver_timeout is 180 seconds.
Does setting it to a lower value in sksconf help?
I just tested with 10 instead of 180.
if i revert my nginx changes and allow sks back to listening on public
ports, set wserver_timeout: 10 in
On 03/20/2012 12:22 AM, Pacal Mayan wrote:
would implementing an accept filter help? i.e., accf_data or accf_http
on the socket?
I'm assuming you're talking about [0], which i think is FreeBSD only,
right? i'd never seen this sockopt before, thanks for pointing it out!
I haven't tested it
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 03/13/2012 06:08 PM, Daniel Kahn Gillmor wrote:
It appears that SKS 1.1.1's hkp interface is vulnerable to an ugly DoS attack
by a client
holding open a network connection without completing an HTTP request.
Sounds just like the kind of
On 03/18/2012 10:36 AM, MailFighter.net Admin wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 03/13/2012 06:08 PM, Daniel Kahn Gillmor wrote:
It appears that SKS 1.1.1's hkp interface is vulnerable to an ugly DoS attack
by a client
holding open a network connection without
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1,SHA256
Daniel Kahn Gillmor wrote:
Hey SKS folks--
It appears that SKS 1.1.1's hkp interface is vulnerable to an ugly DoS
attack by a client holding open a network connection without completing
an HTTP request.
snip
---
I'd be very happy
Hi John--
Thanks for looking into this.
On 03/18/2012 09:46 PM, John Clizbe wrote:
The default setting for wserver_timeout is 180 seconds.
Does setting it to a lower value in sksconf help?
I just tested with 10 instead of 180.
if i revert my nginx changes and allow sks back to listening on
Hey SKS folks--
It appears that SKS 1.1.1's hkp interface is vulnerable to an ugly DoS
attack by a client holding open a network connection without completing
an HTTP request.
Demonstration
-
This is pretty easy to demonstrate using two terminal windows: use
netcat in one to connect
21 matches
Mail list logo
