Yes, disabled by default now. My point was just make sure it did not come back again, at least not without a config parameter to easily disable/enable.
On Sun, Apr 17, 2011 at 8:41 AM, Jeff Trawick <traw...@gmail.com> wrote: > On Sat, Apr 16, 2011 at 3:39 PM, Daniel Ruggeri <drugg...@primary.net> > wrote: > > On 4/16/2011 11:52 AM, Chris Hill wrote: > >> > >> Dear Apache httpd dev list, > >> ... > >> The reason why I insist in this is that the world has come to depend on > >> HTTP/SOAP over SSL (and Apache/OpenSSL are probably the most popular > >> implementation) for business critical apps, yet, it is not clear how > >> these businesses can play around with configuration parameters to fine > >> tune these SSL settings to their specific needs, e.g. *ensure client > >> side renegs can be disabled* or at least,*provide a way of limiting how > >> many of these a client initiated re-negotiations (or initial handshakes) > >> a server will allow per second for a specific connection/IP*. It is > >> great that recent Apache builds disable client initiated renegotiation > >> by default, but how can I ensure this will never be turned back on in > >> future releases given the lack of configuration parameters? > >> > > > > Chris; > > I believe this topic (enable/disable renegotiation) was brought up on > this > > list just a matter of days ago. I don't recall seeing a consensus, but I > > would agree that a configuration parameter to (dis)allow client-initiated > > renegotiation would be a Very Good Thing. I don't think this would be > very > > difficult to implement - and would be a good start to correct the issues > you > > call out. > > I thought client-initiated renegotiation was already disabled out of > the box, with no configuration mechanism to re-enable. > > From ssl_engine_kernel.c, 2.2.x-latest: > > /* If the first handshake is complete, change state to reject any > * subsequent client-initated renegotiation. */ > else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == > RENEG_INIT) { > scr->reneg_state = RENEG_REJECT; > } >