Bug 42625 - mod_ssl does not support LimitRequestBody
mod_ssl does not support LimitRequestBody
Status: RESOLVED DUPLICATE of bug 12355
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl
2.2-HEAD
Other All
: P2 minor (vote)
: ---
Assigned To: Apache HTTPD Bugs Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2007-06-09 18:00 UTC by Serge Dubrouski
Modified: 2007-06-10 18:47 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Serge Dubrouski 2007-06-09 18:00:52 UTC
Core Apache module provides LimitRequestBody option to limit request body. 
That works well with HTTP protocol but doesn't work with HTTPS. That happens 
because mod_ssl does not support this option and instead has it's own hard 
coded limit. The limit is set to 128K in ssl_engine_io.c:

/* 128K maximum buffer size by default. */
#ifndef SSL_MAX_IO_BUFFER
#define SSL_MAX_IO_BUFFER (128 * 1024)
#endif

....

       /* Fail if this exceeds the maximum buffer size. */
        if (total > SSL_MAX_IO_BUFFER) {
            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                          "request body exceeds maximum size for SSL buffer");
            return HTTP_REQUEST_ENTITY_TOO_LARGE;
        }

That leads to two problems:

1. Inability to submit POST requests bigger than 128K
2. Inability to lower that limit to something smaller than 128K

Ideal solution for this problem would implementing suport for LimitRequestBody 
in mod_ssl or providing an alternative SSLLimitRequestBody option.
Comment 1 Ruediger Pluem 2007-06-10 03:02:22 UTC

*** This bug has been marked as a duplicate of 12355 ***
Comment 2 Serge Dubrouski 2007-06-10 06:04:55 UTC
I'm absolutely disagree that this is a duplicate for 12355. In fact it has
nothing to do with this problem, besides that they both related to mod_ssl of
course.

The code that I quoted is still in 2.2.4 version of Apache and it's still
impossible to control limits for HTTPS requests body. If I'm wrong please tell
me how I can submit posts greater than 128K using Apache 2.2.4 or how I can
limit such requests to 64K.
Comment 3 Ruediger Pluem 2007-06-10 10:30:23 UTC
You can do this with LimitRequestBody as long as no SSL renegotiation is needed
for your request (e.g. due to SSLrequire used in a Directory / Location context)
and even then you can use LimitRequestBody to limit what is being sent to your
application (cgi script, whatever). If the request body is larger than what you
set via LimitRequestBody but smaller than 128k, mod_ssl will consume the whole
body and the error checking for LimitRequestBody will bail out later. If the
request body is larger than 128k then mod_ssl will bail out regardless what is
set for LimitRequestBody. As said this is only true in the case that a SSL
renegotiation is needed. So the only limit that remains is that you cannot have
request bodies larger than 128k if an SSL renegotiation is needed for your
request and this is what is left from the original PR12355. Before the patch for
PR12355 was applied no request body at all was possible with such renegotiated
requests and now it can be up to 128k. Nevertheless many people complained
afterwards that this size is not configurable and that 128k is not enough for
their application. Please see PR12355 for further details. As far as I remember
there were some proposals how to avoid renegotiation in such cases.
To cut a long story short:
If your request needs SSL renegotiation, then you are affected from what is left
of PR12355 and if not it is highly likely that it is a misconfiguration on your
side since the LimitRequestBody check in the HTTP_INPUT filter knows nothing
about SSL. In this case please try using exactly the same configuration for SSL
and non SSL and post both (SSL/non SSL) configurations here if it still does not
work. 
Comment 4 Serge Dubrouski 2007-06-10 18:47:26 UTC
Thank you very much for a such detailed explanation.

*** This bug has been marked as a duplicate of 12355 ***