[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

[PATCH] Add a configuration option to disable HTTP pipelining.

From: Lieven Govaerts <lgo_at_mobsol.be>
Date: Tue, 19 Aug 2014 14:25:22 +0100

Hi,

attached patch adds a new configuration flag to disable HTTP pipelining.

There's a bug in OpenSSL's SSL renegotiation algorithm. When it's
initiated by the server to request a client certificate, it'll fail
when on the connection pipelined requests are incoming at the server
side.

Short summary of the root cause: during renegotiation, OpenSSL reads
data from the TCP connection expecting it to be a proper client
certificate. However, if an HTTP request was still pending on the
connection or in the server's receive buffer, OpenSSL will read that
request's data, recognise its not a proper client certificate, discard
the data and report an error. Apache will then abort the connection in
response to that OpenSSL error.

Given that there's no fix planned in OpenSSL, the only available
mitigation is to disable HTTP pipelining on connections where a SSL
renegotiation can happen. Since that depends on the configuration of
the server, we can't really know or predict when such renegotiation
will happen.

Conclusion: give the user the option to disable HTTP pipelining, which
she can use in case of problems caused by renegotiation.
Attached patch implements just that.

Objections anyone? Other remarks?

Lieven

[[[
Add an option "http-pipelining" to the servers configuration, so that a user
can disable HTTP pipelining in case that causes problems, e.g. during SSL
renegotiation triggered by the server to request a client certificate.

* subversion/include/svn_config.h
  (SVN_CONFIG_OPTION_HTTP_PIPELINING): New boolean config option.

* subversion/libsvn_ra_serf/ra_serf.h
  (struct svn_ra_serf__session_t): New member variable http_pipelining.

* subversion/libsvn_ra_serf/serf.c
  (load_config): Load the value of the new option from the servers file. If not
       set, use 'HTTP pipelining is enabled' by default.
  (svn_ra_serf__open,
   ra_serf_dup_session): Set the max. nr. of outstanding requests to 1
       if HTTP pipelining is disabled.

* subversion/libsvn_ra_serf/update.c
  (open_connection_if_needed): Set the max. nr. of outstanding requests to 1
       if HTTP pipelining is disabled.

* subversion/libsvn_subr/config_file.c
  (svn_config_ensure): Add the 'http-pipelining' option in the comment section
       of the initial servers file.
]]]

Received on 2014-08-19 15:26:21 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.