[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] Add a configuration option to disable HTTP pipelining.

From: Mark Phippard <markphip_at_gmail.com>
Date: Tue, 19 Aug 2014 09:34:42 -0400

On Tue, Aug 19, 2014 at 9:25 AM, Lieven Govaerts <lgo_at_mobsol.be> wrote:

There's a bug in OpenSSL's SSL renegotiation algorithm. When it's
> initiated by the server to request a client certificate, it'll fail
> when on the connection pipelined requests are incoming at the server
> side.
> Short summary of the root cause: during renegotiation, OpenSSL reads
> data from the TCP connection expecting it to be a proper client
> certificate. However, if an HTTP request was still pending on the
> connection or in the server's receive buffer, OpenSSL will read that
> request's data, recognise its not a proper client certificate, discard
> the data and report an error. Apache will then abort the connection in
> response to that OpenSSL error.
> Given that there's no fix planned in OpenSSL, the only available
> mitigation is to disable HTTP pipelining on connections where a SSL
> renegotiation can happen. Since that depends on the configuration of
> the server, we can't really know or predict when such renegotiation
> will happen.
> Conclusion: give the user the option to disable HTTP pipelining, which
> she can use in case of problems caused by renegotiation.
> Attached patch implements just that.
> Objections anyone? Other remarks?
I assume it is not possible for Serf to know that it is using client
connections and disable it automatically?

I assume this problem does not happen all the time? How does it manifest
currently? What error does user see.

We have a few customers that use client certificates, and AFAIK, they have
been using SVN 1.8 OK.

Mark Phippard
Received on 2014-08-19 15:35:12 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.