On 4/13/2011 5:42 PM, Chris Hill wrote: > Open SSL dev team, > > It seems like in releases after OpenSSL 0.9.8l (the ones that contained the > fix for cve > 2009-3555), client initiated "secure/safe" renegotiationw was never > re-enabled by > default, judging by how Apache behaves.
Since you are asking a /user/ question about *Apache*, the dev@ list of openssl seems like a really silly place to start ;-) But I've kicked your question over to the Apache httpd dev list to inquire about the state of the mod_ssl/CVE-2009-3555 code. I reproduced with 0.9.8o and 2.2.17 with a 0.9.8o client. Perhaps the only relevant *OpenSSL* question is; does 'R' attempt a 'new style' renegotiation, or only a classic/legacy renegotiation? If that's the case (and you want it to work, in spite of risks), and this is the behavior you want to allow, there's a directive for that; http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation but let's drop httpd discussion from this thread, if you want to follow up, us...@httpd.apache.org is probably the list you wanted in the first place. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
