On 2016-08-11 18:04:41 [+0200], Hubert Kario wrote: > On Thursday, 11 August 2016 13:50:53 CEST Sebastian Andrzej Siewior wrote: > > On 2016-08-11 11:34:24 [+0200], Hubert Kario wrote: > > > it all depends on the environment, in some renegotiation is completely > > > unnecessary (public HTTP servers without client certificate based > > > authentication), in others just client-initiated renegotiation is needed > > > (typical configuration for HTTP with client certificates), while in other > > > > Is this renegotiation (in this case) triggert by the client or by the > > server? I have here access to a few servers which require a client certs > > and they don't support renegotiation (triggert by the client) right > > after connect. > > in this case the renegotiation is triggered by server
good. So still no reason to accept a renegotiation request from the client (except your "long standing connection" point (which could be ratelimited or shifted to the server)). Sebastian -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev