From amazon at gatuno.mx  Tue Jan 26 06:53:30 2021
From: amazon at gatuno.mx (=?UTF-8?Q?F=C3=A9lix_Arreola_Rodr=C3=ADguez?=)
Date: Mon, 25 Jan 2021 23:53:30 -0600
Subject: [mod_gnutls-devel] libapache2-mod-gnutls: mod_gnutls consumes 100%
 cpu and possible DOS
Message-ID: <255586354368778a044424ba02b81520@gatuno.mx>

Hi

I came across this Debian Bug 
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942737), after doing 
heavy gdb debugging, I find out a problem between mod-gnutls and 
mod-reqtimeout. The issue causes a possible DOS, because if you have and 
empty TCP connection, and mod request timeout enabled, reqtimeout 
generates APR_TIMEUP and this causes a loop inside mod-gnutls.

The long debug session is described here: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942737#25

Steps to reproduce:
Enable apache2 with the modules mod-gnutls, and mod-reqtimeout. Setup a
reqtimeout like: RequestReadTimeout header=20-40,minrate=500 and open
an openssl s_client:

openssl s_client -connect IP:port

Don't send any data over the openssl connect. Just wait for the timeout
to happen. After the timeout, the CPU usage will increase. Also, you
can quit the openssl s_client and the apache process will be stuck in
the endless loop.

This bug is not found in 0.8.2, because it handles different the 
APR_TIMEUP.

Thanks for reading.

-- 
Atte. F?lix Arreola