Joe Orton wrote: > On Wed, Mar 03, 2010 at 06:31:36PM +0000, Dr Stephen Henson wrote: > >> Note that you don't need to abort if secure renegotiation is supported >> by the client. > > Is there any technical need to support client-initiated reneg? It's a > bad fit with mod_ssl. >
It has been reported that some clients (not OpenSSL based unless the application explicitly requests it) do renegotiate periodically. In one case sending back the no renegotiation alert to an unpatched client (*definitely* not OpenSSL based) meant the connection continued correctly. I've no idea how widespread this is though. It's something which just "worked" before and there'd be no reason to notice it. Steve. -- Dr Stephen N. Henson. Senior Technical/Cryptography Advisor, Open Source Software Institute: www.oss-institute.org OpenSSL Core team: www.openssl.org
