On Fri, Nov 22, 2002 at 11:35:43AM -0500, ervin ruci wrote: > please reply if you can: > this is a serious openssl vulnerability: > here is the log: > [Fri Nov 22 11:08:33 2002] [error] [client 164.77.208.74] client sent > HTTP/1.1 request without hostname (see RFC2616 section 14.23): / > [Fri Nov 22 11:08:43 2002 : 64.86.0.229] domain silvercrest.ca rar 29 > (24502) > [Fri Nov 22 11:08:46 2002] [error] server reached MaxClients setting, > consider raising the MaxClients setting > [Fri Nov 22 11:13:42 2002] [error] mod_ssl: SSL handshake timed out (client > 164.77.208.74, server venus.cira.ca:443) > [Fri Nov 22 11:13:42 2002] [error] mod_ssl: SSL handshake timed out (client > 164.77.208.74, server venus.cira.ca:443) > [Fri Nov 22 11:13:46 2002] [error] mod_ssl: SSL handshake timed out (client > 164.77.208.74, server venus.cira.ca:443) > [Fri Nov 22 11:13:47 2002] [error] mod_ssl: SSL handshake timed out (client > 164.77.208.74, server venus.cira.ca:443) > [Fri Nov 22 11:13:48 2002] [error] mod_ssl: SSL handshake timed out (client > 164.77.208.74, server venus.cira.ca:443) > [Fri Nov 22 11:13:49 2002] [error] mod_ssl: SSL handshake timed out (client > 164.77.208.74, server venus.cira.ca:443) > [Fri Nov 22 11:13:50 2002] [error] mod_ssl: SSL handshake failed (server > venus.cira.ca:443, client 164.77.208.74) (OpenSSL library error foll\ > ows) > [Fri Nov 22 11:13:50 2002] [error] OpenSSL: error:1406B458:SSL > routines:GET_CLIENT_MASTER_KEY:key arg too long > [Fri Nov 22 11:13:50 2002] [error] mod_ssl: SSL handshake timed out (client > 164.77.208.74, server venus.cira.ca:443) > [Fri Nov 22 11:13:50 2002] [error] mod_ssl: SSL handshake timed out (client > 164.77.208.74, server venus.cira.ca:443) > [Fri Nov 22 11:13:50 2002] [error] mod_ssl: SSL handshake timed out (client > 164.77.208.74, server venus.cira.ca:443) > > > server crash!!!!!
Are you using an up-to-date version of OpenSSL? If this is the case, how comes that you are so sure that it "a serious openssl vulnerability"? Can you PROVE, that OpenSSL is the reason for the server crash??? > -----Original Message----- > From: ervin ruci [mailto:[EMAIL PROTECTED]] > Sent: Friday, November 22, 2002 10:46 AM > To: Richard Levitte - VMS Whacker; [EMAIL PROTECTED] > Subject: RE: Beta 4 of OpenSSL 0.9.7 > > > what is actually of greater urgence for me is an openssl vulnerability that > allows clients to just open the connection and leave it hanging hence > forcing my web server to reach its maxclients setting and crash. this > problem was addressed by openssl version g for the linux platform, but on > solaris the vulnerability still exists with this version. that's why i went > to try the beta version in the first place, hoping you would have taken care > of this. I don't see, in how far this has to do with OpenSSL. OpenSSL is not different between platforms. Sincere regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]