Holger Reif wrote:
>
> Ralf S. Engelschall schrieb:
> >
> > Ok, here is take 3 and my cleaned up and finally proposed patch which solves
> > the POST problems by pre-sucking pending input data from the SSL/TLS I/O layer
> > and re-injecting them after the renegotiation phase into the Apache I/O layer.
>
> I don't want to blow away your work, but this seems to me
> the wrong solution! Is it really okay, if a renegotiation
> was initiated because of missing cipher strength, client
> cert whatever to accept the data sent under other
> conditions? What happens if renegotiation fails completely?
> If client doesn't present a cert for example?
I think you will get a FORBIDEN reply.
The real problem is, that if you want to protect the form data with
a strong cipher, but as the request gets sent before the renegotiation,
it is possible that some data gets transfered with a weak cipher in place.
-------------------------------------------------------------------------------
Matthias Loepfe, AdNovum Informatik AG, Roentgenstr. 22, CH-8005 Zurich
Email: [EMAIL PROTECTED] Voice: +41 1 272 6111 Fax: +41 1 272 6312
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
