Ruediger Pluem wrote:
No, currently there are no plans to change this. Please have a look at
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243#c14
Do I understand correctly from this comment that if a user connects to
the site using a client certificate, and if the SSLClientVerify step
happens before the attempted post operation, that the problem won't
occur? If so, then I should be home free, because with plone, one must
GET a page first, before POSTing any data using the form in question.
With regard to this comment:
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243#c12
Would someone be so kind as to interpret that code snippet for me? Is
that a patch that I could apply to 2.2.4 apache sources and set a config
parameter SSL_MAX_IO_BUFFER in some appropriate context in my config
files, and thus eliminate the problem for myself (if exposing myself to
the DoS vulnerability---I have a very small and trustworthy user base)?
Is this the patch that redhat is using? Or is there another patch to
remove this limitation?
Many thanks for your detailed replies.
-Kevin
