On Sun, May 15, 2016 at 06:54:06PM +0200, Daniele Tricoli wrote: > This is my actual plan: > 1. Update urllib3 and requests (the first package is ready, I'm updating > requests right now) > 2. see if the problem is still present; > 3. forward the bug upstream; upstream is very responsive so we will have > news soon.
We worked out more details on #debian-admin and I've already posted the results on the upstream repository. I'll write it also here: https://bz.apache.org/bugzilla/show_bug.cgi?id=39243 is relevant, and they have a rationale and a work-around: But you should really design your site to ensure that the first request to a client-cert-protected area is not a POST request with a large body; make it a GET or something. Any request body has to be buffered into RAM to handle this case, so represents an opportunity to DoS the server. I can change python-debiancontributors to do a GET before a post, the GET gets to negotiate SSL correctly and smoothly, and the POST afterwards should go through. Enrico -- GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <enr...@enricozini.org>
signature.asc
Description: PGP signature
