On 03/03/2010 11:33 PM, William A. Rowe Jr. wrote:
Seriously, I was hoping 0.9.8m will reject legacy clients,
unless explicitly SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is set,
but it seems that's not the case or we are doing something wrong in
mod_ssl.
It rejects the renegotation. It is the callers responsibility to continue
or die. Dr Henson's suggested approach is that we drop the timeout to
some 5 seconds or less, in this case, until they resume the connection.
Sure that could be the solution if there is no option to tell the
server to make that decision.
Regards
--
^TM
