On Fri, Feb 26, 2010 at 02:45:19AM +0100, Dr. Stephen Henson wrote:
> On Thu, Feb 25, 2010, Victor Duchovni wrote:
>
> >
> > If I field a patched server, and sufficiently many unpatched pre-0.9.8m
> > OpenSSL clients attempt re-negotiation under normal conditions, I have
> > a resource starvation problem and unhappy users who are more annoyed at
> > stuck connections than failed ones.
> >
>
> It would under normal circumstances (for some value of normal) require a
> specific request to renegotiate from the client code or setting of
> renegotiation values in an SSL BIO. I don't know how many clients do that:
> I suspect (and hope!) not many.
In the not entirely rare case when servers dynamically request client
certs based on the requested URL (server triggers renegotiation
and asks for the initially not requested client certs), I assume there
is no "hanging" connection, as the renegotiation is server-initiated...
If so, the problem use-case is client-initiated renegotiation that is
not prompted by the server, perhaps this is sufficiently rare when
combined with the restriction that the clients are OpenSSL based, and
thus not various vendor products known to spontaneously renegotiate.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
