You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2016/08/11 07:56:21 UTC

[Bug 59970] New: DoS with a single TLS connection on windows

https://bz.apache.org/bugzilla/show_bug.cgi?id=59970

            Bug ID: 59970
           Summary: DoS with a single TLS connection on windows
           Product: Apache httpd-2
           Version: 2.4.23
          Hardware: PC
            Status: NEW
          Severity: major
          Priority: P2
         Component: Platform
          Assignee: bugs@httpd.apache.org
          Reporter: mludha@gmail.com

I'm a software developer at ESET and I believe I've found a bug in Apache
running on Windows (but not on Linux) that presents both a compatibility issue
between ESET line of security products and a huge potential for DoS of Apache.
The simplest way to demonstrate this is
1. Download http://de.apachehaus.com/downloads/httpd-2.4.23-x86-vc11.zip, unzip
2. Run httpd.exe
3. Verify that https://127.0.0.1 loads (proceed despite certificate warnings)
4. Run nc 127.0.0.1 443
5. Open https://127.0.0.1 again
6. Observe that the page loads for basically forever
7. Kill nc, observe that the page loads shortly after

This leads me to believe that holding a single https connection open to Apache
running on Windows without sending client hello is enough to prevent the server
from responding to any new connections. Can you please investigate?

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 59970] DoS with a single TLS connection on windows

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59970

Ray Satiro <ra...@yahoo.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |raysatiro@yahoo.com

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 59970] DoS with a single TLS connection on windows

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59970

--- Comment #4 from Yann Ylavic <yl...@gmail.com> ---
(In reply to Yann Ylavic from comment #3)
> Maybe using both:
>   AcceptFilter http none
>   AcceptFilter https none
> ?

Sorry, I read "Neither" instead of "Either" in comment 2, so this test is
useless...

Thanks for the report, we'll look at this.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 59970] DoS with a single TLS connection on windows

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59970

Yann Ylavic <yl...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #5 from Yann Ylavic <yl...@gmail.com> ---
Fixed in r1759471 for upcoming 2.4.24.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 59970] DoS with a single TLS connection on windows

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59970

--- Comment #3 from Yann Ylavic <yl...@gmail.com> ---
Maybe using both:
  AcceptFilter http none
  AcceptFilter https none
?

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 59970] DoS with a single TLS connection on windows

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59970

Yann Ylavic <yl...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 OS|                            |All

--- Comment #1 from Yann Ylavic <yl...@gmail.com> ---
Can you still reproduce with:
  AcceptFilter https connect
or:
  AcceptFilter https none
?

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 59970] DoS with a single TLS connection on windows

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59970

--- Comment #2 from mludha@gmail.com ---
Either option makes the problem go away.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org