Skip Menu |
 

This queue is for tickets about the Socket-Class CPAN distribution.


Subject: very easy to DOS server, needs a server version of starttls()
Download (untitled) / with headers
text/plain 711b
Hello, The attached script illustrates the problem pretty well. 1) in one terminal start up ssl_server.perl (essentially the basic example) 2) in one or more start running ssl_client.perl (essentially the basic example) over and over in a large loop so far so good! 3) run ssl_dos_client.perl in another terminal one time Now the existing and subsequent ssl_client.perl are denied. To resolve this the server needs to start up non-SSL, then fork and upgrade to SSL. This doesn't currently seem possible with Socket::Class::SSL. I'll attach an example IO::Socket::SSL based ssl_server script that will sanely handle misbehaving clients soon so you'll be able to see the difference yourself. thanks!
Subject: ssl_dos_client.perl
Download ssl_dos_client.perl
application/octet-stream 144b

Message body not shown because it is not plain text.

Subject: ssl_server.perl
Download ssl_server.perl
application/octet-stream 673b

Message body not shown because it is not plain text.

Subject: ssl_client.perl
Download ssl_client.perl
application/octet-stream 375b

Message body not shown because it is not plain text.

Subject: Re: [rt.cpan.org #48066] very easy to DOS server, needs a server version of starttls()
Date: Tue, 21 Jul 2009 23:04:01 +0200 (CEST)
To: bug-Socket-Class [...] rt.cpan.org
From: "Christian Mueller" <christian [...] hbr1.com>
Download (untitled) / with headers
text/plain 1.3k
hello, it is possible to start ssl on connected plain sockets via the starttls() function. $ssl_socket = Socket::Class::SSL->starttls( $socket ); is it this you are looking for? Show quoted text
> Tue Jul 21 13:50:08 2009: Request 48066 was acted upon. > Transaction: Ticket created by DMUEY > Queue: Socket-Class > Subject: very easy to DOS server, needs a server version of > starttls() > Broken in: (no value) > Severity: (no value) > Owner: Nobody > Requestors: dmuey@cpan.org > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=48066 > > > > Hello, > > The attached script illustrates the problem pretty well. > > 1) in one terminal start up ssl_server.perl (essentially the basic > example) > > 2) in one or more start running ssl_client.perl (essentially the basic > example) over and over > in a large loop > > so far so good! > > 3) run ssl_dos_client.perl in another terminal one time > > Now the existing and subsequent ssl_client.perl are denied. > > To resolve this the server needs to start up non-SSL, then fork and > upgrade to SSL. > > This doesn't currently seem possible with Socket::Class::SSL. > > I'll attach an example IO::Socket::SSL based ssl_server script that will > sanely handle > misbehaving clients soon so you'll be able to see the difference yourself. > > thanks! >
Subject: Re: [rt.cpan.org #48066] very easy to DOS server, needs a server version of starttls()
Date: Tue, 21 Jul 2009 16:10:46 -0500
To: bug-Socket-Class [...] rt.cpan.org
From: Dan Muey <webmaster [...] simplemood.com>
Download (untitled) / with headers
text/plain 495b
On Jul 21, 2009, at 4:04 PM, Christian Mueller via RT wrote: Show quoted text
> <URL: http://rt.cpan.org/Ticket/Display.html?id=48066 > > > hello, > > it is possible to start ssl on connected plain sockets via the > starttls() > function. > > $ssl_socket = Socket::Class::SSL->starttls( $socket ); > > is it this you are looking for?
Maybe, I've been trying to get it to work, I need to get my boss's IO::Socket::SSL version working then change it to use Socket::Class and see if that does the trick :)
The ssl_dos_client.perl attached in the OP had a typo, here's the actual one :)
Download ssl_dos_client.perl
application/octet-stream 144b

Message body not shown because it is not plain text.

Download (untitled) / with headers
text/plain 173b
On Tue Jul 21 17:12:43 2009, DMUEY wrote: Show quoted text
> The ssl_dos_client.perl attached in the OP had a typo, here's the > actual one > :)
ok, lets try this *again* shesh.. sorry :)
Download ssl_dos_client.perl
application/octet-stream 142b

Message body not shown because it is not plain text.

Download (untitled) / with headers
text/plain 835b
On Tue Jul 21 17:04:24 2009, christian@hbr1.com wrote: Show quoted text
> hello, > > it is possible to start ssl on connected plain sockets via the starttls() > function. > > $ssl_socket = Socket::Class::SSL->starttls( $socket ); > > is it this you are looking for?
If I adjust the ssl_server to do that before it's while() the clients all get: my $ssl = Socket::Class::SSL->starttls( $sock ) or die 'TLS initialization failed: ' . $sock->error; while ( my $c = $ssl->accept ) { Some I/O error occurred at ssl_client.perl line 3. That is with or without calling $ssl->set_certificate('/usr/local/apache/conf/ssl.crt/server.crt'); $ssl->set_private_key('/usr/local/apache/conf/ssl.key/server.key'); before the while() any ideas how to do the simple server example as a non SSL socket then upgrade it to SSL? thanks!
Subject: Re: [rt.cpan.org #48066] very easy to DOS server, needs a server version of starttls()
Date: Wed, 22 Jul 2009 00:05:01 +0200 (CEST)
To: bug-Socket-Class [...] rt.cpan.org
From: "Christian Mueller" <christian [...] hbr1.com>
Download (untitled) / with headers
text/plain 1.3k
Show quoted text
> Queue: Socket-Class > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=48066 > > > On Tue Jul 21 17:04:24 2009, christian@hbr1.com wrote:
>> hello, >> >> it is possible to start ssl on connected plain sockets via the >> starttls() >> function. >> >> $ssl_socket = Socket::Class::SSL->starttls( $socket ); >> >> is it this you are looking for?
> > > If I adjust the ssl_server to do that before it's while() the clients all > get: > > my $ssl = Socket::Class::SSL->starttls( $sock ) > or die 'TLS initialization failed: ' . $sock->error; > > while ( my $c = $ssl->accept ) {
This wont work. starttls() only works on connected sockets. But by the way whats the different to creating a listening ssl socket directly? I thought you want do something like this: while( $client = $socket->accept ) { $ssl = Socket::Class::SSL->starttls( $client ) or die $client->error; $ssl->say( "HELLO CLIENT" ); ... } Show quoted text
> > > Some I/O error occurred at ssl_client.perl line 3. > > That is with or without calling > > $ssl->set_certificate('/usr/local/apache/conf/ssl.crt/server.crt'); > $ssl->set_private_key('/usr/local/apache/conf/ssl.key/server.key'); > > before the while() > > any ideas how to do the simple server example as a non SSL socket then > upgrade it to SSL? > > thanks! > > >
Subject: Re: [rt.cpan.org #48066] very easy to DOS server, needs a server version of starttls()
Date: Wed, 22 Jul 2009 00:23:41 +0200 (CEST)
To: bug-Socket-Class [...] rt.cpan.org
From: "Christian Mueller" <christian [...] hbr1.com>
Download (untitled) / with headers
text/plain 1.2k
well it will block the server infinitely. but its not a ssl issue. please try out the server script in the attachement. Show quoted text
> Tue Jul 21 13:50:08 2009: Request 48066 was acted upon. > Transaction: Ticket created by DMUEY > Queue: Socket-Class > Subject: very easy to DOS server, needs a server version of > starttls() > Broken in: (no value) > Severity: (no value) > Owner: Nobody > Requestors: dmuey@cpan.org > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=48066 > > > > Hello, > > The attached script illustrates the problem pretty well. > > 1) in one terminal start up ssl_server.perl (essentially the basic > example) > > 2) in one or more start running ssl_client.perl (essentially the basic > example) over and over > in a large loop > > so far so good! > > 3) run ssl_dos_client.perl in another terminal one time > > Now the existing and subsequent ssl_client.perl are denied. > > To resolve this the server needs to start up non-SSL, then fork and > upgrade to SSL. > > This doesn't currently seem possible with Socket::Class::SSL. > > I'll attach an example IO::Socket::SSL based ssl_server script that will > sanely handle > misbehaving clients soon so you'll be able to see the difference yourself. > > thanks! >
Download ssl_server.perl
text/plain 885b

Message body is not shown because sender requested not to inline it.

Subject: Re: [rt.cpan.org #48066] very easy to DOS server, needs a server version of starttls()
Date: Tue, 21 Jul 2009 17:47:27 -0500
To: bug-Socket-Class [...] rt.cpan.org
From: Dan Muey <webmaster [...] simplemood.com>
Download (untitled) / with headers
text/plain 465b
Show quoted text
> This wont work. starttls() only works on connected sockets. > But by the way whats the different to creating a listening ssl socket > directly? I thought you want do something like this: > > while( $client = $socket->accept ) { > $ssl = Socket::Class::SSL->starttls( $client ) > or die $client->error; > $ssl->say( "HELLO CLIENT" ); > ... > }
That's what I was doing wrong, doh! Our IO::Socket::SSL one does that, sorry I missed that detail :)
Download (untitled) / with headers
text/plain 309b
ok, this one does the upgrade-to-ssl thing and behaves like to original (i.e. still has DOS potential) The forkage logic causes strange behavior, like blank requests (no output) and duplicate requests (the incremented number may revert back to previous ones). We'll get it yet, thanks for the assistance!
Download ssl_better_server.perl
application/octet-stream 1.1k

Message body not shown because it is not plain text.

Download ssl_dos_client.perl
application/octet-stream 142b

Message body not shown because it is not plain text.

Download ssl_client.perl
application/octet-stream 375b

Message body not shown because it is not plain text.

Subject: Re: [rt.cpan.org #48066] very easy to DOS server, needs a server version of starttls()
Date: Wed, 22 Jul 2009 01:15:44 +0200 (CEST)
To: bug-Socket-Class [...] rt.cpan.org
From: "Christian Mueller" <christian [...] hbr1.com>
Download (untitled) / with headers
text/plain 641b
Show quoted text
> Queue: Socket-Class > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=48066 > > > ok, this one does the upgrade-to-ssl thing and behaves like to original > (i.e. still has DOS potential) > > The forkage logic causes strange behavior, like blank requests (no output) > and duplicate requests (the incremented number may revert back to > previous ones). > > We'll get it yet, thanks for the assistance! >
the server is very simple and almost insecure. for example readline expects correct data send to the server. but as i see the server operates outside the ssl context now. $c->write sends the data to the plain socket.
From: nick [...] cpanel.net
Download (untitled) / with headers
text/plain 1.3k
Here is the explanation in code: Example dosable forking server that runs on port 10001 socket_class_dos/dos_test.pl -- Script to test to see if the dos will happen socket_class_dos/dosable_socket_class_ssl.pl -- Functional version that just uses accept() socket_class_dos/simple_io_socket_ssl.pl -- Safe version that uses IO::Socket::SSL socket_class_dos/simple_socket_class_ssl.pl -- How I would envision doing this with Socket::Class::SSL -- not functional Usage: perl dosable_socket_class_ssl.pl & perl dos_test.pl OR perl simple_io_socket_ssl.pl & perl dos_test.pl On Tue Jul 21 19:16:05 2009, christian@hbr1.com wrote: Show quoted text
> > Queue: Socket-Class > > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=48066 > > > > > ok, this one does the upgrade-to-ssl thing and behaves like to original > > (i.e. still has DOS potential) > > > > The forkage logic causes strange behavior, like blank requests (no output) > > and duplicate requests (the incremented number may revert back to > > previous ones). > > > > We'll get it yet, thanks for the assistance! > >
> > the server is very simple and almost insecure. for example readline > expects correct data send to the server. but as i see the server operates > outside the ssl context now. $c->write sends the data to the plain socket. > >
Download socket_class_dos.tar.gz
application/x-gzip 2.9k

Message body not shown because it is not plain text.

Subject: Re: [rt.cpan.org #48066] very easy to DOS server, needs a server version of starttls()
Date: Wed, 22 Jul 2009 02:54:28 +0200 (CEST)
To: bug-Socket-Class [...] rt.cpan.org
From: "Christian Mueller" <christian [...] hbr1.com>
Download (untitled) / with headers
text/plain 1.5k
please use the $sock object instead of the socket handle with starttls. does the scripts in the attachment work like expected? Show quoted text
> Queue: Socket-Class > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=48066 > > > Here is the explanation in code: > > Example dosable forking server that runs on port 10001 > > socket_class_dos/dos_test.pl -- Script to test to see if the dos will > happen > socket_class_dos/dosable_socket_class_ssl.pl -- Functional version that > just uses accept() > socket_class_dos/simple_io_socket_ssl.pl -- Safe version that uses > IO::Socket::SSL > socket_class_dos/simple_socket_class_ssl.pl -- How I would envision > doing this with > Socket::Class::SSL -- not functional > > > Usage: > > perl dosable_socket_class_ssl.pl & > perl dos_test.pl > > OR > > perl simple_io_socket_ssl.pl & > perl dos_test.pl > > > > > On Tue Jul 21 19:16:05 2009, christian@hbr1.com wrote:
>> > Queue: Socket-Class >> > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=48066 > >> > >> > ok, this one does the upgrade-to-ssl thing and behaves like to
>> original
>> > (i.e. still has DOS potential) >> > >> > The forkage logic causes strange behavior, like blank requests (no
>> output)
>> > and duplicate requests (the incremented number may revert back to >> > previous ones). >> > >> > We'll get it yet, thanks for the assistance! >> >
>> >> the server is very simple and almost insecure. for example readline >> expects correct data send to the server. but as i see the server >> operates >> outside the ssl context now. $c->write sends the data to the plain >> socket. >> >>
> > > >
Download dost_test.zip
application/x-zip-compressed 6.7k

Message body not shown because it is not plain text.

Subject: Re: [rt.cpan.org #48066] very easy to DOS server, needs a server version of starttls()
Date: Wed, 22 Jul 2009 19:09:13 +0200 (CEST)
To: bug-Socket-Class [...] rt.cpan.org
From: "Christian Mueller" <christian [...] hbr1.com>
Download (untitled) / with headers
text/plain 1.6k
Ok i did understand the problem. I fixed starttls to accept parameters and changed the functionality on server side. Its part of version 2.23 which i uploaded to cpan. the scripts in the attachment should work with it. Show quoted text
> Queue: Socket-Class > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=48066 > > > Here is the explanation in code: > > Example dosable forking server that runs on port 10001 > > socket_class_dos/dos_test.pl -- Script to test to see if the dos will > happen > socket_class_dos/dosable_socket_class_ssl.pl -- Functional version that > just uses accept() > socket_class_dos/simple_io_socket_ssl.pl -- Safe version that uses > IO::Socket::SSL > socket_class_dos/simple_socket_class_ssl.pl -- How I would envision > doing this with > Socket::Class::SSL -- not functional > > > Usage: > > perl dosable_socket_class_ssl.pl & > perl dos_test.pl > > OR > > perl simple_io_socket_ssl.pl & > perl dos_test.pl > > > > > On Tue Jul 21 19:16:05 2009, christian@hbr1.com wrote:
>> > Queue: Socket-Class >> > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=48066 > >> > >> > ok, this one does the upgrade-to-ssl thing and behaves like to
>> original
>> > (i.e. still has DOS potential) >> > >> > The forkage logic causes strange behavior, like blank requests (no
>> output)
>> > and duplicate requests (the incremented number may revert back to >> > previous ones). >> > >> > We'll get it yet, thanks for the assistance! >> >
>> >> the server is very simple and almost insecure. for example readline >> expects correct data send to the server. but as i see the server >> operates >> outside the ssl context now. $c->write sends the data to the plain >> socket. >> >>
> > > >
Download dos_test.zip
application/x-zip-compressed 6.7k

Message body not shown because it is not plain text.

Download (untitled) / with headers
text/plain 525b
On Wed Jul 22 13:09:32 2009, christian@hbr1.com wrote: Show quoted text
> Ok i did understand the problem. I fixed starttls to accept parameters
and Show quoted text
> changed the functionality on server side. Its part of version 2.23
which i Show quoted text
> uploaded to cpan. the scripts in the attachment should work with it.
Looks nice! w/ v2.23 I get these results: terminal 1) perl dosable_socket_class_ssl.pl terminal 2) perl dos_test.pl note the DOS happen terminal 1) perl simple_socket_class_ssl.pl terminal 2) perl dos_test.pl note the DOS does not happen
#!/usr/bin/perl use Socket::Class (); use Socket::Class::SSL (); use IO::Select (); my $pem = '-----BEGIN RSA PRIVATE KEY----- MIICXgIBAAKBgQC5hCJbBaDK3vhJN51DaVwUdUQkb7fnbYV36F1cYSQ0XcuUhWSb wB1Kq9BKzuYW/qaIIH08n9W41GMbQcZGLGe6pn0eZsvv/TrXLV8a2Yf6QzWw4ufH aJc1NLDvq8P2N0jxhiWmGf1u5ZJw6nGShqbrNEnB5WJZDvmdMgzGp6G7DwIDAQAB AoGBAJsmsPzi9hj05T2Gr5WjVgkeEcFPVcTNSeSAhyQtcfQBxbMO5JeF0nmSu/70 jmYIzwnl8hdzrXCI3+H53nLtzElXPM8FJ10SOAsklHZexjvV3fCC3U7Qo5su2R1e cKsRfNYx3X++kODuKGHzOi+fi9V0hiZtHgs3s9Lb4Gr2VKoRAkEA3sBUz70DEkBd UHfCh1kRRph4yUtytx9EETaewQ5kc94QHHuUk8G61zlBoItbPU+bQAJGzwap0PNe EJCqLe6ctQJBANU0/asX/q/mALPZqjE5XpzbXY4d8ZdKxJjLaEzjBHSyw4bGAD4W Q/k7E7b8r/M5wGdipBvSFbCvS2qE2c/bVzMCQQCu5u/xKeV2eEmM/GwnIF17RA9b Zz2M4iTtKykeR3HCtPOLmdGA71YI1nFcYO/kRVSOvvrgZcgDRIRwl1a4uCodAkEA y8T1nIw2Uo8UpM+npZwbHPdblvRvbhV7iDz/1lwyagZgcXLT0IMfPBiGYyFmWKQd i7Hu/tfu+wrOnWOTeOE9mQJAQaMngYlDh0SLABUiMk6MuBtZArrCL735ostnWnpf efsi37gWPlbX0Yy+4HyDPIcFpXJ46cZecFVlOq2NZSSEAg== -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDRTCCAq6gAwIBAgIBADANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJVUzEQ MA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5r bm93bjEQMA4GA1UECxMHVW5rbm93bjEMMAoGA1UEAxMDcGlnMRYwFAYJKoZIhvcN AQkBFgdzc2xAcGlnMB4XDTA4MTIyNDAzNDE0NFoXDTA5MTIyNDAzNDE0NFowezEL MAkGA1UEBhMCVVMxEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24x EDAOBgNVBAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xDDAKBgNVBAMTA3Bp ZzEWMBQGCSqGSIb3DQEJARYHc3NsQHBpZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEAuYQiWwWgyt74STedQ2lcFHVEJG+3522Fd+hdXGEkNF3LlIVkm8AdSqvQ Ss7mFv6miCB9PJ/VuNRjG0HGRixnuqZ9HmbL7/061y1fGtmH+kM1sOLnx2iXNTSw 76vD9jdI8YYlphn9buWScOpxkoam6zRJweViWQ75nTIMxqehuw8CAwEAAaOB2DCB 1TAdBgNVHQ4EFgQUQRmLH9Vlf7Ts39g1omt38SEf3wowgaUGA1UdIwSBnTCBmoAU QRmLH9Vlf7Ts39g1omt38SEf3wqhf6R9MHsxCzAJBgNVBAYTAlVTMRAwDgYDVQQI EwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAw DgYDVQQLEwdVbmtub3duMQwwCgYDVQQDEwNwaWcxFjAUBgkqhkiG9w0BCQEWB3Nz bEBwaWeCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQBqpceFZCqa c2g3sjstCfDPm3PESyiPNvN152+GLuwiyu0X0KXUNzqAbQbvQ1hABjQBDWbV0hw7 tDgd0FNDIxw4+X8N4e9UVHuYlXCF4G5nLuKm5GJyHnfNCZLHdG8dNUHFwG0MN8+Q ET5BUqESHHx8ODIGnoUK6wWamINhU/Uiig== -----END CERTIFICATE-----'; my $homedir = ( getpwuid($>) )[7]; if ( open( my $pem_fh, '>', $homedir . '/mypem_ssl_test.pem' ) ) { print {$pem_fh} $pem; close($pem_fh); } my %SSLARGS = ( 'private_key' => $homedir . '/mypem_ssl_test.pem', 'certificate' => $homedir . '/mypem_ssl_test.pem', #'SSL_cipher_list' => 'ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP' ); my $port = 10001; my %ARGS = ( 'listen' => '45', 'proto' => 'tcp', 'local_port' => $port, 'reuseaddr' => '1', ); my $fd = Socket::Class::SSL->new( %ARGS, %SSLARGS ); while (1) { $socket = $fd->accept() || next; if ( fork() ) { $socket->close(); #parent } else { $socket->read( $constring, 2 ); $socket->write("SSL SERVER CONNETED OK\n"); exit(); } }
#!/usr/bin/perl BEGIN { unshift @INC, 'blib/lib', 'blib/arch'; } use Socket::Class (); use Socket::Class::SSL (); my $pem = '-----BEGIN RSA PRIVATE KEY----- MIICXgIBAAKBgQC5hCJbBaDK3vhJN51DaVwUdUQkb7fnbYV36F1cYSQ0XcuUhWSb wB1Kq9BKzuYW/qaIIH08n9W41GMbQcZGLGe6pn0eZsvv/TrXLV8a2Yf6QzWw4ufH aJc1NLDvq8P2N0jxhiWmGf1u5ZJw6nGShqbrNEnB5WJZDvmdMgzGp6G7DwIDAQAB AoGBAJsmsPzi9hj05T2Gr5WjVgkeEcFPVcTNSeSAhyQtcfQBxbMO5JeF0nmSu/70 jmYIzwnl8hdzrXCI3+H53nLtzElXPM8FJ10SOAsklHZexjvV3fCC3U7Qo5su2R1e cKsRfNYx3X++kODuKGHzOi+fi9V0hiZtHgs3s9Lb4Gr2VKoRAkEA3sBUz70DEkBd UHfCh1kRRph4yUtytx9EETaewQ5kc94QHHuUk8G61zlBoItbPU+bQAJGzwap0PNe EJCqLe6ctQJBANU0/asX/q/mALPZqjE5XpzbXY4d8ZdKxJjLaEzjBHSyw4bGAD4W Q/k7E7b8r/M5wGdipBvSFbCvS2qE2c/bVzMCQQCu5u/xKeV2eEmM/GwnIF17RA9b Zz2M4iTtKykeR3HCtPOLmdGA71YI1nFcYO/kRVSOvvrgZcgDRIRwl1a4uCodAkEA y8T1nIw2Uo8UpM+npZwbHPdblvRvbhV7iDz/1lwyagZgcXLT0IMfPBiGYyFmWKQd i7Hu/tfu+wrOnWOTeOE9mQJAQaMngYlDh0SLABUiMk6MuBtZArrCL735ostnWnpf efsi37gWPlbX0Yy+4HyDPIcFpXJ46cZecFVlOq2NZSSEAg== -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDRTCCAq6gAwIBAgIBADANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJVUzEQ MA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5r bm93bjEQMA4GA1UECxMHVW5rbm93bjEMMAoGA1UEAxMDcGlnMRYwFAYJKoZIhvcN AQkBFgdzc2xAcGlnMB4XDTA4MTIyNDAzNDE0NFoXDTA5MTIyNDAzNDE0NFowezEL MAkGA1UEBhMCVVMxEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24x EDAOBgNVBAoTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xDDAKBgNVBAMTA3Bp ZzEWMBQGCSqGSIb3DQEJARYHc3NsQHBpZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEAuYQiWwWgyt74STedQ2lcFHVEJG+3522Fd+hdXGEkNF3LlIVkm8AdSqvQ Ss7mFv6miCB9PJ/VuNRjG0HGRixnuqZ9HmbL7/061y1fGtmH+kM1sOLnx2iXNTSw 76vD9jdI8YYlphn9buWScOpxkoam6zRJweViWQ75nTIMxqehuw8CAwEAAaOB2DCB 1TAdBgNVHQ4EFgQUQRmLH9Vlf7Ts39g1omt38SEf3wowgaUGA1UdIwSBnTCBmoAU QRmLH9Vlf7Ts39g1omt38SEf3wqhf6R9MHsxCzAJBgNVBAYTAlVTMRAwDgYDVQQI EwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAw DgYDVQQLEwdVbmtub3duMQwwCgYDVQQDEwNwaWcxFjAUBgkqhkiG9w0BCQEWB3Nz bEBwaWeCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQBqpceFZCqa c2g3sjstCfDPm3PESyiPNvN152+GLuwiyu0X0KXUNzqAbQbvQ1hABjQBDWbV0hw7 tDgd0FNDIxw4+X8N4e9UVHuYlXCF4G5nLuKm5GJyHnfNCZLHdG8dNUHFwG0MN8+Q ET5BUqESHHx8ODIGnoUK6wWamINhU/Uiig== -----END CERTIFICATE-----'; my $homedir = ( getpwuid($>) )[7]; if ( open( my $pem_fh, '>', $homedir . '/mypem_ssl_test.pem' ) ) { print {$pem_fh} $pem; close($pem_fh); } my %SSLARGS = ( 'private_key' => $homedir . '/mypem_ssl_test.pem', 'certificate' => $homedir . '/mypem_ssl_test.pem', #'SSL_cipher_list' => 'ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP' ); my $port = 10001; my %ARGS = ( 'listen' => '45', 'proto' => 'tcp', 'local_port' => $port, 'reuseaddr' => '1', ); my $fd = Socket::Class->new(%ARGS); while (1) { $fd->select( $read_set = 1, undef, undef, 5 ); if ($read_set) { $socket = $fd->accept() || next; if ( fork() ) { # parent $socket->close(); } else { # child my $sslsocket = Socket::Class::SSL->starttls( $socket, 'server' => 1, %SSLARGS ) || die "Could not start ssl"; $sslsocket->read( $constring, 2 ); $sslsocket->write("SSL SERVER CONNETED OK\n"); exit(); } } }
Download dos_test.pl
text/x-perl 522b
#!/usr/bin/perl -w BEGIN { unshift @INC, 'blib/lib', 'blib/arch'; } $SIG{'ALRM'} = sub { die "DoS successful\n"; }; alarm(10); use Socket::Class::SSL(); my $ssl = Socket::Class->new( 'remote_port' => 10001 ); print "Connected\n"; my $ssl2 = Socket::Class::SSL->new( 'remote_port' => 10001 ) or die Socket::Class->error; $ssl2->write( 'test' . "\n" ); print "Connected - 2\n"; my $line = $ssl2->readline(); if ( $line =~ /conn/i ) { print "DoS failed - Server OK\n"; } else { die "DoS successful\n"; }
The DoS problem is confirmed fixed, however the downside is that the ssl context cannot be reused. Its fastest to init in the parent, and then reuse in the child. IO::Socket::SSL supports its as follows: SSL_reuse_ctx If you have already set the above options (SSL_version through SSL_check_crl; this does not include SSL_cipher_list yet) for a previous instance of IO::Socket::SSL, then you can reuse the SSL context of that instance by passing it as the value for the SSL_reuse_ctx parameter. You may also create a new instance of the IO::Socket::SSL::SSL_Context class, using any context options that you desire without specifying connection options, and pass that here instead. If you use this option, all other context-related options that you pass in the same call to new() will be ignored unless the context supplied was invalid. Note that, contrary to versions of IO::Socket::SSL below v0.90, a global SSL context will not be implicitly used unless you use the set_default_context() function. With having to reload the certificate every time it has to re-read the certificates after every fork.
Subject: Re: [rt.cpan.org #48066] very easy to DOS server, needs a server version of starttls()
Date: Sun, 26 Jul 2009 02:34:08 +0200 (CEST)
To: bug-Socket-Class [...] rt.cpan.org
From: "Christian Mueller" <christian [...] hbr1.com>
Download (untitled) / with headers
text/plain 1.3k
2.25 supports shared ssl contexts. hope it works as expected. the modified server script is attached. Show quoted text
> Queue: Socket-Class > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=48066 > > > The DoS problem is confirmed fixed, however the downside is that the ssl > context cannot be > reused. Its fastest to init in the parent, and then reuse in the child. > IO::Socket::SSL supports > its as follows: > > > SSL_reuse_ctx > If you have already set the above options (SSL_version through > SSL_check_crl; this does not > include SSL_cipher_list yet) for a previous instance of IO::Socket::SSL, > then you can reuse the > SSL context of that instance by passing it as the value for the > SSL_reuse_ctx parameter. You > may also create a new instance of the IO::Socket::SSL::SSL_Context class, > using any context > options that you desire without specifying connection options, and pass > that here instead. > > If you use this option, all other context-related options that you pass in > the same call to > new() will be ignored unless the context supplied was invalid. Note that, > contrary to versions > of IO::Socket::SSL below v0.90, a global SSL context will not be > implicitly used unless you use > the set_default_context() function. > > > With having to reload the certificate every time it has to re-read the > certificates after every > fork. >

Message body is not shown because sender requested not to inline it.

From: nick [...] cpanel.net
Download (untitled) / with headers
text/plain 1.7k
Its working, however perl is seg faulting on exit on my test machine. In XS_Socket__Class_END ==> sc2 = sc1->next; <== segfaults here if I create the ctx after the Socket object ==> socket_class_free( sc1 ); <== segfaults here if I create the Socket after the ctx On Sat Jul 25 20:34:33 2009, christian@hbr1.com wrote: Show quoted text
> 2.25 supports shared ssl contexts. > hope it works as expected. > the modified server script is attached. > >
> > Queue: Socket-Class > > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=48066 > > > > > The DoS problem is confirmed fixed, however the downside is that the ssl > > context cannot be > > reused. Its fastest to init in the parent, and then reuse in the child. > > IO::Socket::SSL supports > > its as follows: > > > > > > SSL_reuse_ctx > > If you have already set the above options (SSL_version through > > SSL_check_crl; this does not > > include SSL_cipher_list yet) for a previous instance of IO::Socket::SSL, > > then you can reuse the > > SSL context of that instance by passing it as the value for the > > SSL_reuse_ctx parameter. You > > may also create a new instance of the IO::Socket::SSL::SSL_Context class, > > using any context > > options that you desire without specifying connection options, and pass > > that here instead. > > > > If you use this option, all other context-related options that you pass in > > the same call to > > new() will be ignored unless the context supplied was invalid. Note that, > > contrary to versions > > of IO::Socket::SSL below v0.90, a global SSL context will not be > > implicitly used unless you use > > the set_default_context() function. > > > > > > With having to reload the certificate every time it has to re-read the > > certificates after every > > fork. > >


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.