On 11/05/2009 11:03 PM, Dirk-Willem van Gulik wrote: > Joe Orton wrote: > >> * we can detect in mod_ssl when the client is renegotiating by using the >> callback installed using SSL_CTX_set_info_callback(), in conjunction >> with suitable flags in the SSLConnRec to detect the cases where this is >> either a server-initiated renegotiation or the initial handshake on the >> connection. > > This seems to work for me - i.e. it calls back exactly when needed > (rather than EAGAIN like break bubbling up in kernel_io.c) - and it > _also_ seems to cover the other types of re-negotiation (i.e. other than > for a Cert) which actually worry me a lot more. > > For the record - this MiM can be done with _all_ type of > (re)negotiations - for all parameters right ?
As far as I understand it: Yes. One of the examples was regarding cipher spec renegotiations and I see no reasons why other renegotiations beyond cert and cipher spec shouldn't be vulnerable. Regards RĂ¼diger