William A. Rowe Jr. wrote: > On 3/3/2010 11:50 AM, Stefan Fritsch wrote: >> On Wednesday 03 March 2010, Mladen Turk wrote: >>> BTW, I wouldn't recommend to compile against 0.9.8m. >>> openssl s_client < 0.9.8m block on renegotiation >> Have you only tried 0.9.8l as client? It has a known bug with >> renegotiation that makes it hang instead of fail. >> >> I have no problems with 0.9.8c and 0.9.8g (from Debian 4.0 and 5.0). >> If SSLInsecureRenegotiation is on, it works. If >> SSLInsecureRenegotiation is off, I get an "sslv3 alert handshake >> failure". > > And the bug is specific to openssl < 0.9.8m mishandling the alert; it will > neither abort nor resume the prior session, so it is left to timeout. You > may want to contrast this behavior to legacy IE, Firefox, etc. > > Attached is one suggestion of a workaround. > >
If I understand the code correctly it looks like Apache is already trapping and aborting client initiated renegotiations so this "hang" situation shouldn't arise. Note that you don't need to abort if secure renegotiation is supported by the client. Steve. -- Dr Stephen N. Henson. Senior Technical/Cryptography Advisor, Open Source Software Institute: www.oss-institute.org OpenSSL Core team: www.openssl.org
