Joe Orton wrote: > On Tue, Nov 17, 2009 at 06:12:41PM +0100, Hartmut Keil wrote: >> The client must stop and wait for the response in any case, otherwise the >> response of a subsequent request will get lost, if the server is not >> configured >> for keep-alive, or the response for the first request causes the server to >> close >> the connection: > > It's not the case that clients "must stop and wait" - read RFC 2616 for > a description of HTTP pipelining.
Your right, I missed that point. According http://www.w3.org/Protocols/rfc2616/rfc2616-sec8.html#sec8.1.2.2 "...Clients MUST also be prepared to resend their requests if the server closes the connection before sending all of the corresponding responses. ...." we are allowed to close the keepalive connection, after sending the response. With the proposed change, we prevent request splitting attacks based on the TSL renegotiation flaw. From my point of view without drawbacks, since 'pipelining' clients must handle the closing of a connection after a complete response in any case. Regards Hartmut --- ssl_engine_io.c.patched 2009-11-16 10:57:23.416525000 +0100 +++ ssl_engine_io.c 2009-11-19 15:52:28.852264000 +0100 @@ -478,6 +478,13 @@ inctx->rc = APR_ECONNABORTED; return -1; } + /* Clear buffer with decrypted data if the server has initiated a renegotiation.*/ + if (inctx->filter_ctx->config->reneg_state == RENEG_ALLOW) { + char_buffer_write(&inctx->cbuf, NULL, 0); + /* disable keep alive */ + conn_rec *c = (conn_rec *)SSL_get_app_data(inctx->filter_ctx->pssl); + c->keepalive = AP_CONN_CLOSE; + } /* XXX: flush here only required for SSLv2; * OpenSSL calls BIO_flush() at the appropriate times for > > Regards, Joe > -- AdNovum Informatik AG Hartmut Keil, Senior Software Engineer Dipl. Physiker Roentgenstrasse 22, CH-8005 Zurich mailto:[email protected] phone: +41 44 272 6111, fax: +41 44 272 6312 http://www.adnovum.ch AdNovum Locations: Bern, Budapest, San Mateo, Zurich (HQ)
