>>>>> "M" == Matthieu Estrade <mestr...@apache.org> writes:
M> More granular timeout and maybe adaptative timeout is also IMHO a good M> way to improve resistance to this kind of attack. The current 1.3, 2.0 and 2.2 documentation is in agreement too! I believe the ssl module also takes its timeout value from this setting. It would be great if that was separately configurable too to cater for those intent on doing partial ssl handshakes. The TimeOut directive currently defines the amount of time Apache will wait for three things: 1. The total amount of time it takes to receive a GET request. 2. The amount of time between receipt of TCP packets on a POST or PUT request. 3. The amount of time between ACKs on transmissions of TCP packets in responses. We plan on making these separately configurable at some point down the road. The timer used to default to 1200 before 1.2, but has been lowered to 300 which is still far more than necessary in most situations. It is not set any lower by default because there may still be odd places in the code where the timer is not reset when a packet is sent. regards |<evin -- Kevin J Walters Morgan Stanley k...@ms.com 25 Cabot Square Tel: 020 7425 7886 Canary Wharf Fax: 020 7677 8504 London E14 4QA
