There may be a way around this problem now, but really, to make SKS good at
this kind of situation,s omeone needs to port SKS to a concurrency library
like LWT or Async. That will make it much easier to deal with these
problems, and to be able to handle multiple concurrent clients properly.
Unfor
John Clizbe writes:
> Oddly, I was looking at a different problem last night and noticed this
> snippet appearing twice in wserver.ml:
>
> 188-189
> let rec parse_headers map cin =
> let line = input_line cin in (* DOS attack: input_line is unsafe on
> sockets *)
>
> 201-202
> let parse_request
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1,SHA256
Johan van Selst wrote:
> Daniel Kahn Gillmor wrote:
>> Fix?
>>
>> I'm afraid i don't know ocaml at all, so i don't have a proposed fix.
>> It seems to be related to the event loop model on the sks db process,
>> though. Looking at it from
Daniel Kahn Gillmor wrote:
> Fix?
>
> I'm afraid i don't know ocaml at all, so i don't have a proposed fix.
> It seems to be related to the event loop model on the sks db process,
> though. Looking at it from a system call level: either sks should be
> multi-threaded, or reads from network so
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 26.03.2012 00:46, Daniel Kahn Gillmor wrote:
> On 03/25/2012 05:53 PM, Kristian Fiskerstrand wrote:
>> Did a few more changes[0] to speed up the IP lookup process, and
>> included adding IPv6 for some subset pools (including the HA
>> one)
>
> Hm,
On 03/25/2012 05:53 PM, Kristian Fiskerstrand wrote:
Did a few more changes[0] to speed up the IP lookup process, and
included adding IPv6 for some subset pools (including the HA one)
Hm, just looking for the regular IPv4 A records for the HA pool from
different authoritative nameservers seems
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 21.03.2012 11:49, Phil Pennock wrote:
> On 2012-03-19 at 21:11 +0100, Kristian Fiskerstrand wrote:
>> Here you go!
>
>> Added ha.pool. The HTTP Server code is available at e.g.
>> http://sks-keyservers.net/status/info/keys.kfwebs.net . Atm I'm
>>
On 03/21/2012 08:08 AM, Phil Pennock wrote:
For nginx, if you listen on a port and only have one vhost, with no
default_server, will all requests for that hostname go to this server
spec?
I believe they will, yes. keys.mayfirst.org is also known as
zimmermann.mayfirst.org (and as zimmerman.ma
-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160
On 2012-03-19 at 21:11 +0100, Kristian Fiskerstrand wrote:
> Here you go!
>
> Added ha.pool. The HTTP Server code is available at e.g.
> http://sks-keyservers.net/status/info/keys.kfwebs.net . Atm I'm only
> including nginx servers in the subset.
On Tue, Mar 20, 2012 at 11:45:50PM +0100, Peter Kornherr wrote:
Sorry, forgot to mention the sks log entry for that request:
2012-03-20 23:19:18 Miscellaneous error: Failure("parse_post failed for lack of
a content-length header")
--pk
signature.asc
Description: Digital signature
Hi,
this is what I'm doing with apache2 on keys.wuschelpuschel.org:
(part of, as I'm already proxying from :80 on several hostnames)
> hkp_address: 127.0.0.1
ServerName
ServerAdmin
Order deny,allow
Allow from all
ProxyP
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1,SHA256
Peter Kornherr wrote:
> Sorry, I forgot to mention the sks log entry for that request:
>
> 2012-03-20 23:19:18 Miscellaneous error: Failure("parse_post failed for lack
> of a content-length header")
>
> Is this a client problem or a matter of
Sorry, I forgot to mention the sks log entry for that request:
2012-03-20 23:19:18 Miscellaneous error: Failure("parse_post failed for lack of
a content-length header")
Is this a client problem or a matter of my apache proxy?
--pk
signature.asc
Description: Digital signature
_
Hi,
I'm trying to do the proxy-stuff with apache2. On first sight,
it seems to work well:
ServerName keys.wuschelpuschel.org
ServerAdmin pe...@wuschelpuschel.org
Order deny,allow
Allow from all
ProxyPass / http://127.0.0.1
On 03/20/2012 12:22 AM, Pacal Mayan wrote:
would implementing an accept filter help? i.e., accf_data or accf_http
on the socket?
I'm assuming you're talking about [0], which i think is FreeBSD only,
right? i'd never seen this sockopt before, thanks for pointing it out!
I haven't tested it m
On 03/18/2012 09:46 PM, John Clizbe wrote:
The default setting for wserver_timeout is 180 seconds.
Does setting it to a lower value in sksconf help?
I just tested with 10 instead of 180.
if i revert my nginx changes and allow sks back to listening on public
ports, set wserver_timeout: 10 in /et
On 03/19/2012 04:11 PM, Kristian Fiskerstrand wrote:
Here you go!
Added ha.pool. The HTTP Server code is available at e.g.
http://sks-keyservers.net/status/info/keys.kfwebs.net . Atm I'm only
including nginx servers in the subset.
Wow, very speedy -- thanks, Kristian! Works for me.
I think t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 19.03.2012 18:24, Daniel Kahn Gillmor wrote:
> On 03/19/2012 07:38 AM, Kristian Fiskerstrand wrote:
>> On 19.03.2012 02:25, Daniel Kahn Gillmor wrote:
...
> If there was an ha-pool.sks-keyservers.net , i would be very happy
> to use it instead of po
On 03/19/2012 07:38 AM, Kristian Fiskerstrand wrote:
On 19.03.2012 02:25, Daniel Kahn Gillmor wrote:
So my nginx configuration stanzas are:
Thank you for the recommendation and the configuration example.
keys.kfwebs.net should be running a similar setup now on both IPv4 and
IPv6.
Thanks for
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 19.03.2012 02:25, Daniel Kahn Gillmor wrote:
> On 03/18/2012 10:36 AM, MailFighter.net Admin wrote:
...
>
> So my nginx configuration stanzas are:
Thank you for the recommendation and the configuration example.
keys.kfwebs.net should be running
Hi John--
Thanks for looking into this.
On 03/18/2012 09:46 PM, John Clizbe wrote:
The default setting for wserver_timeout is 180 seconds.
Does setting it to a lower value in sksconf help?
I just tested with 10 instead of 180.
if i revert my nginx changes and allow sks back to listening on p
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1,SHA256
Daniel Kahn Gillmor wrote:
> Hey SKS folks--
>
> It appears that SKS 1.1.1's hkp interface is vulnerable to an ugly DoS
> attack by a client holding open a network connection without completing
> an HTTP request.
>
>
> ---
>
> I'd be very h
On 03/18/2012 10:36 AM, MailFighter.net Admin wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 03/13/2012 06:08 PM, Daniel Kahn Gillmor wrote:
It appears that SKS 1.1.1's hkp interface is vulnerable to an ugly DoS attack
by a client
holding open a network connection without completing
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 03/13/2012 06:08 PM, Daniel Kahn Gillmor wrote:
> It appears that SKS 1.1.1's hkp interface is vulnerable to an ugly DoS attack
> by a client
> holding open a network connection without completing an HTTP request.
Sounds just like the kind of vu
Hey SKS folks--
It appears that SKS 1.1.1's hkp interface is vulnerable to an ugly DoS
attack by a client holding open a network connection without completing
an HTTP request.
Demonstration
-
This is pretty easy to demonstrate using two terminal windows: use
netcat in one to connect
25 matches
Mail list logo
