On Tue, Nov 10, 2009 at 03:19:39PM +0100, Jean-Marc Desperrier wrote: > Joe Orton wrote: >> On Fri, Nov 06, 2009 at 12:00:06AM +0000, Joe Orton wrote: >>> > On Thu, Nov 05, 2009 at 09:31:00PM +0000, Joe Orton wrote: >>>> > > * we can detect in mod_ssl when the client is renegotiating by using >>>> > the >>>> > > callback installed using SSL_CTX_set_info_callback(), in conjunction >>>> > > with suitable flags in the SSLConnRec to detect the cases where this >>>> > is >>>> > > either a server-initiated renegotiation or the initial handshake on >>>> > the >>>> > > connection. >>> > >>> > Here is a very rough first hack (for discussion/testing purposes only!): >> A second hack, slightly less rough hack: > > Joe, instead of hard coding this, a very nice solution would be to have > a new directive "SSLServerRenegociation Allow" or even more flexible > "SSLRenegociation disabled/serveronly/enabled" with disabled as default > value.
Yes, sure. What is possible in mod_ssl will depend on what interfaces OpenSSL will expose for this, which is not yet clear. Regards, Joe