On 03/03/2010 10:34 PM, William A. Rowe Jr. wrote:
On 3/3/2010 2:00 PM, Mladen Turk wrote:
Right, and I'm afraid if SSLInsecureRenegotiation (default) isn't set
while compiled with 0.9.8m one can easily create an DoS attack.
Stop.
Weather I stop or not it will not make that disappear :)
Please don't abuse words like DoS to describe utilization. Of course IE
and Firefox, Opera and Safari are all DoS tools. It's called consuming
server resources :)
while [ true ];
do
echo R | openssl s_client -connect host:port &
done
Not only it will kill the server, but it will kill your box as well :)
Seriously, I was hoping 0.9.8m will reject legacy clients,
unless explicitly SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is set,
but it seems that's not the case or we are doing something wrong in mod_ssl.
Regards
--
^TM
