On Tue, Aug 19, 2014 at 9:25 AM, Lieven Govaerts <lgo_at_mobsol.be> wrote:
There's a bug in OpenSSL's SSL renegotiation algorithm. When it's
> initiated by the server to request a client certificate, it'll fail
> when on the connection pipelined requests are incoming at the server
> side.
>
> Short summary of the root cause: during renegotiation, OpenSSL reads
> data from the TCP connection expecting it to be a proper client
> certificate. However, if an HTTP request was still pending on the
> connection or in the server's receive buffer, OpenSSL will read that
> request's data, recognise its not a proper client certificate, discard
> the data and report an error. Apache will then abort the connection in
> response to that OpenSSL error.
>
> Given that there's no fix planned in OpenSSL, the only available
> mitigation is to disable HTTP pipelining on connections where a SSL
> renegotiation can happen. Since that depends on the configuration of
> the server, we can't really know or predict when such renegotiation
> will happen.
>
> Conclusion: give the user the option to disable HTTP pipelining, which
> she can use in case of problems caused by renegotiation.
> Attached patch implements just that.
>
> Objections anyone? Other remarks?
>
>
I assume it is not possible for Serf to know that it is using client
connections and disable it automatically?
I assume this problem does not happen all the time? How does it manifest
currently? What error does user see.
We have a few customers that use client certificates, and AFAIK, they have
been using SVN 1.8 OK.
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
Received on 2014-08-19 15:35:12 CEST