Changeset 72b669e in mod_gnutls for test/tests/25_Disable_TLS_1.0

Timestamp:
Sep 27, 2018, 1:23:25 PM (2 years ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
debian/master, master, proxy-ticket
Children:
c33ef88
Parents:
514d4d6
Message:

Refuse to send or receive over a failed TLS connection

On a failed connection (e.g. after a refused handshake) the
input/output filters would pass data unprocessed to the next filter in
the chain. On a normal server this just led to odd log messages
(because the HTTP handler couldn't process whatever the client was
sending), but for proxy HTTPS connections it caused a security issue:
The proxy request would be sent unencrypted after the failed
handshake, and the connection only closed when mod_proxy didn't
receive a valid response.

The fix is to refuse any send or receive operations through the
filters if the TLS connection failed.

(No files)

Note: See TracChangeset for help on using the changeset viewer.