Comment 3 for bug 1463635

ChristianEhrhardt (paelzer) wrote :

Hi,
you are right that default configurations should be sane.
I totally like your report on the potential DOS, by keeping a connection open and so stalling the restart forever.
So I don't just want you or me to close it.
But then the GracefulShutdownTimeout being zero is the apache default - not one set by Ubuntu.

I see two issues in "just" changing that:
- while discussion worthy, some other users might expect it to behave as it did up to now
- Upstream must have a reason to keep the default at zero (I hope)

I'd suggest to bring the matter to discussion upstream with Apache.
There the experts can much better quantify the reality of an attack due to this or any other implications.
E.g. the answer to why exactly the connections remain open and what could/should be done.

Once there is agreement and a patch that changes the upstream default new versions will pick it up and it could be back-ported to old versions as needed.