Hi,
Joe Orton wrote: > > On Tue, Nov 10, 2009 at 03:19:39PM +0100, Jean-Marc Desperrier wrote: >> Joe Orton wrote: >>> On Fri, Nov 06, 2009 at 12:00:06AM +0000, Joe Orton wrote: >>>> > On Thu, Nov 05, 2009 at 09:31:00PM +0000, Joe Orton wrote: >>>>> > > * we can detect in mod_ssl when the client is renegotiating by >>>>> using the >>>>> > > callback installed using SSL_CTX_set_info_callback(), in >>>>> conjunction >>>>> > > with suitable flags in the SSLConnRec to detect the cases where >>>>> this is >>>>> > > either a server-initiated renegotiation or the initial handshake >>>>> on the >>>>> > > connection. >>>> > >>>> > Here is a very rough first hack (for discussion/testing purposes >>>> only!): >>> A second hack, slightly less rough hack: >> >> Joe, instead of hard coding this, a very nice solution would be to have >> a new directive "SSLServerRenegociation Allow" or even more flexible >> "SSLRenegociation disabled/serveronly/enabled" with disabled as default >> value. > > Yes, sure. What is possible in mod_ssl will depend on what interfaces > OpenSSL will expose for this, which is not yet clear. > > Regards, Joe > > Now that 0.9.8m-beta1 is available, what is likely to happen with Apache 2.2.15? I looked at the svn tree, but I could not see if anyone was working on adding this excellent idea for a new directive SSLRenegociation disabled/serveronly/enabled. If the server does not require renegotiation it seems perfect if the apache closed the connection upon receipt of the R instead of the current 5 min (default) timeout wait. Thank you - Fred -- View this message in context: http://old.nabble.com/TLS-renegotiation-attack%2C-mod_ssl-and-OpenSSL-tp26215127p27328884.html Sent from the Apache HTTP Server - Dev mailing list archive at Nabble.com.
