On 3/3/2010 4:41 PM, Joe Orton wrote: > On Wed, Mar 03, 2010 at 11:21:47PM +0100, Mladen Turk wrote: >> SSLInsecureRenegotiation off >> echo R | openssl-0.9.8m s_client .. disconnects >> echo R | openssl-0.9.8k s_client .. hangs until ServerTimeout > > Ah, right, hmm. Yes, this is exactly as Bill says, the client is > ignoring the alert and then the server is hanging until a read times > out. This consumes exactly the same amount of server resources as the > client doing nothing with the connection. > > I'm not sure why the connection is not being forcibly closed by the > server in this case, but: > > a) it's certainly not a security issue > b) real clients don't initiate reneg, so it's not a practical issue
You were incorrect in your statement b) above; http://marc.info/?l=openssl-dev&m=125873536926916&w=2 suggests real (handheld/phone) implementations that do this (or perhaps it was really their proxy/gateway).
