On Fri, 2012-05-25 at 16:39 +0100, Gordon Sim wrote: > ... > FWIW I really don't like that code.
Neither do I, possibly for different reasons. > > It doesn't actually protect from badly behaved client code anyway, only > from one specific case. Provided you send a valid AMQP header you can > still use up all the connections without doing anything further and > without authenticating. Fair point. It doesn't protect you from all badly behaved code, but it is a step wise improvement from the previous state. > > Rather than having a maximum time to negotiate the protocol version what > is really needed is a maximum time to authenticate. I agree. I'll see if there is an obviously equally safe place to detect we've authenticated. Of course this still won't protect you from a massive DDoS. Andrew --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
