On Tue, Nov 17, 2009 at 11:42:40AM +0100, Hartmut Keil wrote: > Joe Orton wrote: > > This would break HTTP pipelining over SSL (for affected configurations), > > and it might not fail gracefully - the server would appear to simply > > never receive the pipelined requests. I'm relucant to do that. > > No, the proposed change would just affect to buffering-optimization in > ssl_io_input_getline(...). Pipelining HTTP over SSL does not required, > to decrypt/buffer more data then needed.
I don't follow this. The second request injected by the attacker in the example you give is a pipelined HTTP request, and your proposal is to drop such a request exactly because it was pipelined (the client did not stop and wait for the response before sending it). What am I missing? Regards, Joe
