Merge r891282 from trunk resp. 896900 from 2.2.x:
Further mitigation for the TLS renegotation attack, CVE-2009-3555: * modules/ssl/ssl_engine_kernel.c (has_buffered_data): New function. (ssl_hook_Access): Forcibly disable keepalive for the connection if there is any buffered data readable from the input filter stack. * modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Ensure that the BIO uses blocking operations when invoked outside direct control of the httpd filter stack. Thanks to Hartmut Keil <Hartmut.Keil adnovum.ch> for proposing this technique. Submitted by: jorton Backport by: rjung Reviewed by: pgollucci, wrowe git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1002227 13f79535-47bb-0310-9956-ffa450edef68
parent
26ddd114
Please register or sign in to comment