Yes, disabled by default now. My point was just make sure it did not come
back again, at least not without a config parameter to easily
disable/enable.
On Sun, Apr 17, 2011 at 8:41 AM, Jeff Trawick <traw...@gmail.com> wrote:
> On Sat, Apr 16, 2011 at 3:39 PM, Daniel Ruggeri <drugg...@primary.net>
> wrote:
> > On 4/16/2011 11:52 AM, Chris Hill wrote:
> >>
> >> Dear Apache httpd dev list,
> >> ...
> >> The reason why I insist in this is that the world has come to depend on
> >> HTTP/SOAP over SSL (and Apache/OpenSSL are probably the most popular
> >> implementation) for business critical apps, yet, it is not clear how
> >> these businesses can play around with configuration parameters to fine
> >> tune these SSL settings to their specific needs, e.g. *ensure client
> >> side renegs can be disabled* or at least,*provide a way of limiting how
> >> many of these a client initiated re-negotiations (or initial handshakes)
> >> a server will allow per second for a specific connection/IP*. It is
> >> great that recent Apache builds disable client initiated renegotiation
> >> by default, but how can I ensure this will never be turned back on in
> >> future releases given the lack of configuration parameters?
> >>
> >
> > Chris;
> > I believe this topic (enable/disable renegotiation) was brought up on
> this
> > list just a matter of days ago. I don't recall seeing a consensus, but I
> > would agree that a configuration parameter to (dis)allow client-initiated
> > renegotiation would be a Very Good Thing. I don't think this would be
> very
> > difficult to implement - and would be a good start to correct the issues
> you
> > call out.
>
> I thought client-initiated renegotiation was already disabled out of
> the box, with no configuration mechanism to re-enable.
>
> From ssl_engine_kernel.c, 2.2.x-latest:
>
> /* If the first handshake is complete, change state to reject any
> * subsequent client-initated renegotiation. */
> else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state ==
> RENEG_INIT) {
> scr->reneg_state = RENEG_REJECT;
> }
>
