I was running some tests with apachebench to get some performance timings, I inadvertantly gave a URL that was SSL enabled but with a http:// prefix. If I do this from a browser I get the message Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please. I was watching the memory footprint of httpd while doing this, and it grows RAPIDLY!, here is a trace, dumped every 5 seconds 40001 A nsuser 48354 17728 104 60 20 3d144 6556 * 11:10:29 - 0:01 lt-httpd -k start -DSSL 40001 A nsuser 48354 17728 79 60 20 3d144 171528 * 11:10:29 - 0:06 lt-httpd -k start -DSSL 40001 A nsuser 48354 17728 76 60 20 3d144 418664 * 11:10:29 - 0:10 lt-httpd -k start -DSSL 40001 A nsuser 48354 17728 2 60 20 3d144 630156 * 11:10:29 - 0:14 lt-httpd -k start -DSSL 40001 A nsuser 48354 17728 0 60 20 3d144 630156 * 11:10:29 - 0:14 lt-httpd -k start -DSSL 40001 A nsuser 48354 17728 0 60 20 3d144 630156 * 11:10:29 - 0:14 lt-httpd -k start -DSSL 40001 A nsuser 48354 17728 0 60 20 3d144 630156 * 11:10:29 - 0:14 lt-httpd -k start -DSSL 40001 A nsuser 48354 17728 23 60 20 3d144 631532 * 11:10:29 - 0:14 lt-httpd -k start -DSSL 40001 A nsuser 48354 17728 118 60 20 3d144 643608 * 11:10:29 - 0:21 lt-httpd -k start -DSSL 40001 A nsuser 48354 17728 13 60 20 3d144 649964 * 11:10:29 - 0:28 lt-httpd -k start -DSSL 40001 A nsuser 48354 17728 32 60 20 3d144 656148 * 11:10:29 - 0:34 lt-httpd -k start -DSSL 40001 A nsuser 48354 17728 52 60 20 3d144 662140 * 11:10:29 - 0:41 lt-httpd -k start -DSSL 40001 A nsuser 48354 17728 75 60 20 3d144 668276 * 11:10:29 - 0:48 lt-httpd -k start -DSSL 40001 A nsuser 48354 17728 109 60 20 3d144 674340 * 11:10:29 - 0:54 lt-httpd -k start -DSSL 40001 A nsuser 48354 17728 131 60 20 3d144 680632 * 11:10:29 - 1:01 lt-httpd -k start -DSSL 40001 A nsuser 48354 17728 18 60 20 3d144 686904 * 11:10:29 - 1:08 lt-httpd -k start -DSSL 40001 A nsuser 48354 17728 43 60 20 3d144 693064 * 11:10:29 - 1:14 lt-httpd -k start -DSSL 40001 A nsuser 48354 17728 73 60 20 3d144 699364 * 11:10:29 - 1:21 lt-httpd -k start -DSSL 40001 A nsuser 48354 17728 92 60 20 3d144 705672 * 11:10:29 - 1:28 lt-httpd -k start -DSSL 40001 A nsuser 48354 17728 110 60 20 3d144 711836 * 11:10:29 - 1:34 lt-httpd -k start -DSSL 40001 A nsuser 48354 17728 12 60 20 3d144 718044 * 11:10:29 - 1:41 lt-httpd -k start -DSSL 40001 A nsuser 48354 17728 36 60 20 3d144 724340 * 11:10:29 - 1:48 lt-httpd -k start -DSSL 40001 A nsuser 48354 17728 57 60 20 3d144 730148 * Shortly after this the process crashed. Regards Mick
Ouch! Thanks for the report, the fix is here: http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.117&r2=1.118 this change will be proposed for inclusion in the next 2.0 release.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0113 to this issue.
There was a minor bug in the patch posted previously; the better fix is below: http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.100.2.11&r2=1.100.2.12
adfgsdfg