Permalink
Commits on Nov 2, 2011
  1. Merge pull request #48 from EmericBr/b21242a3

    Some shctx optimz
    Jamie Turner committed Nov 2, 2011
  2. Merge pull request #47 from vincentbernat/feature/disablereneg

    Disable SSL renegotiation to fix CVE-2009-3555.
    Jamie Turner committed Nov 2, 2011
  3. Merge pull request #43 from dpaneda/master

    Patch to set SO_KEEPALIVE on client socket
    Jamie Turner committed Nov 2, 2011
Commits on Oct 29, 2011
  1. Compute openssl internal size from external cache size

    intsize = 123+extsize/8
    
    Bench results: perf don't decrease and less ram usage.
    emeric committed Oct 29, 2011
  2. Shared cache optimizations:

    Review code to do ASN1 stuff outside memory locks (increase performances arround 3%)
    Review algo to reuse the oldest deleted node or the less active one if none deleted
    Do not delete nodes from tree but only from active list.
    Review macros and add comments.
    emeric committed Oct 29, 2011
Commits on Oct 28, 2011
  1. Disable SSL renegotiation to fix CVE-2009-3555.

    If OpenSSL is too old, it does not properly associate renegotiation
    handshakes with an existing connection, which allows man-in-the-middle
    attackers to insert data into HTTPS sessions, and possibly other types
    of sessions protected by TLS or SSL, by sending an unauthenticated
    request that is processed retroactively by a server in a
    post-renegotiation context, related to a "plaintext injection" attack,
    aka the "Project Mogul" issue.
    
    If OpenSSL is recent enough, it will use SSL secure renegotiation
    instead (RFC 5746). However, this feature allows an attacker to
    trigger easily a lot of handshake which would allow to DoS the server.
    
    At least, there seems to be no easy way to tell if OpenSSL is
    vulnerable to CVE-2009-3555 and therefore, in doubt, it may be better
    to disable renegotiation.
    vincentbernat committed Oct 28, 2011
Commits on Oct 20, 2011
  1. Setting SO_KEEPALIVE on client socket and adding option to customize …

    …keepalive timer via TCP_KEEPIDLE setsockopt
    dpaneda committed Oct 20, 2011
Commits on Oct 13, 2011
  1. added https note

    Jamie Turner committed Oct 13, 2011
  2. Set TCP_NODELAY on backend socket.

    Jamie Turner committed Oct 13, 2011
Commits on Oct 12, 2011
  1. Merge remote-tracking branch 'vincentbernat/feature/engine'

    Conflicts:
    	stud.c
    Jamie Turner committed Oct 12, 2011
  2. Merge pull request #28 from vincentbernat/feature/man

    Manual page for stud
    Jamie Turner committed Oct 12, 2011
  3. Merge pull request #40 from Neopallium/master

    Fix crash from un-initialized ev_io struct.
    Jamie Turner committed Oct 12, 2011
  4. formatting (4 spaces)

    Jamie Turner committed Oct 12, 2011
  5. formatting (4 spaces)

    Jamie Turner committed Oct 12, 2011
  6. Merge remote-tracking branch 'gyepisam/master'

    Conflicts:
    	Makefile
    	stud.c
    Jamie Turner committed Oct 12, 2011
  7. Merge pull request #25 from mqudsi/master

    Fixed mismatching behavior for -q parameter
    Jamie Turner committed Oct 12, 2011
Commits on Oct 8, 2011
  1. Fix commandline option -q.

    Neopallium committed Oct 7, 2011
Commits on Oct 3, 2011
Commits on Sep 24, 2011
Commits on Sep 23, 2011
  1. Rework and clean Makefile

    Shared cache is enabled by default and can be disabled with a
    variable. `install` target is enhanced to obey PREFIX and DESTDIR.
    vincentbernat committed Sep 23, 2011
Commits on Sep 21, 2011
Commits on Sep 15, 2011
  1. Add child process management:

    master process spawns new children to replace any that die.
    
    Handle SIGPIPE to avoid (default) process death.
    
    Add check for error in socket creation.
    
    Move globals initialization into a separate routine.
    gyepisam committed Sep 15, 2011
Commits on Sep 13, 2011
  1. wording

    Jamie Turner committed Sep 13, 2011
  2. wording

    Jamie Turner committed Sep 13, 2011
  3. Style

    Jamie Turner committed Sep 13, 2011
  4. Cleanup help output (and sync README).

    Jamie Turner committed Sep 13, 2011
  5. Only openlog() if we need to.

    Jamie Turner committed Sep 13, 2011
  6. Remove the SO_ACCEPTFILTER code. Why:

     1. "httpready" cannot be right on an encrypted stream
     2. Various things online suggests this may fail at runtime
        on the basis of a certain apache-provided kernel module
        being present--even if we switch to "dataready".
        This sounds like a bad idea to me.
    Jamie Turner committed Sep 13, 2011