https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #44 from Ruediger Pluem <[email protected]> 2009-11-09 12:45:37 CET --- (In reply to comment #43) > Ruediger, > > 1. does the config still vulnerable if user redirects to > "/mihailp1/www-secure/s" only after double authentication by soft > (password-pin)? Yes. > 2. why *this* config vulnerable if i disable renegotiation initiated by > client? Server triggered renegotiations have the same problems as client triggered renegotiations. The only difference is that the MIM needs to know a request a URL from the server that triggers server triggered renegotiation in contrast to the client driven renegotiation where the client can decide this at will. The only way to make your configuration safe is to move SSLVerifyDepth 3 SSLVerifyClient require SSLOptions +OptRenegotiate on the virtual host level and thus protect the whole virtual host. For more details see: http://extendedsubset.com/Renegotiating_TLS.pdf http://extendedsubset.com/Renegotiating_TLS_pd.pdf -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
