You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2016/08/11 07:56:21 UTC
[Bug 59970] New: DoS with a single TLS connection on windows
https://bz.apache.org/bugzilla/show_bug.cgi?id=59970
Bug ID: 59970
Summary: DoS with a single TLS connection on windows
Product: Apache httpd-2
Version: 2.4.23
Hardware: PC
Status: NEW
Severity: major
Priority: P2
Component: Platform
Assignee: bugs@httpd.apache.org
Reporter: mludha@gmail.com
I'm a software developer at ESET and I believe I've found a bug in Apache
running on Windows (but not on Linux) that presents both a compatibility issue
between ESET line of security products and a huge potential for DoS of Apache.
The simplest way to demonstrate this is
1. Download http://de.apachehaus.com/downloads/httpd-2.4.23-x86-vc11.zip, unzip
2. Run httpd.exe
3. Verify that https://127.0.0.1 loads (proceed despite certificate warnings)
4. Run nc 127.0.0.1 443
5. Open https://127.0.0.1 again
6. Observe that the page loads for basically forever
7. Kill nc, observe that the page loads shortly after
This leads me to believe that holding a single https connection open to Apache
running on Windows without sending client hello is enough to prevent the server
from responding to any new connections. Can you please investigate?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 59970] DoS with a single TLS connection on windows
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59970
Ray Satiro <ra...@yahoo.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |raysatiro@yahoo.com
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 59970] DoS with a single TLS connection on windows
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59970
--- Comment #4 from Yann Ylavic <yl...@gmail.com> ---
(In reply to Yann Ylavic from comment #3)
> Maybe using both:
> AcceptFilter http none
> AcceptFilter https none
> ?
Sorry, I read "Neither" instead of "Either" in comment 2, so this test is
useless...
Thanks for the report, we'll look at this.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 59970] DoS with a single TLS connection on windows
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59970
Yann Ylavic <yl...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #5 from Yann Ylavic <yl...@gmail.com> ---
Fixed in r1759471 for upcoming 2.4.24.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 59970] DoS with a single TLS connection on windows
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59970
--- Comment #3 from Yann Ylavic <yl...@gmail.com> ---
Maybe using both:
AcceptFilter http none
AcceptFilter https none
?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 59970] DoS with a single TLS connection on windows
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59970
Yann Ylavic <yl...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
OS| |All
--- Comment #1 from Yann Ylavic <yl...@gmail.com> ---
Can you still reproduce with:
AcceptFilter https connect
or:
AcceptFilter https none
?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 59970] DoS with a single TLS connection on windows
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59970
--- Comment #2 from mludha@gmail.com ---
Either option makes the problem go away.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org