there doesn't seem to be any immediate demand for renegotiation
support, so it makes the most sense to leave it optional-to-enable
rather than optional-to-disable.
If you want to protect some parts of your site with client
authentication, then you need to enable insecure renegotiation to
On Sat, 16 Apr 2011, Eric Covener wrote:
would mod_reqtimeout step in after too many renegotiations had eaten
too much wall time?
Whenever mod_ssl reads data from the client, mod_reqtimeout will check the
configured timeouts. It is possible that the data sent during reneg may
prevent the
On Sat, Apr 16, 2011 at 3:39 PM, Daniel Ruggeri drugg...@primary.net wrote:
On 4/16/2011 11:52 AM, Chris Hill wrote:
Dear Apache httpd dev list,
...
The reason why I insist in this is that the world has come to depend on
HTTP/SOAP over SSL (and Apache/OpenSSL are probably the most popular
Yes, disabled by default now. My point was just make sure it did not come
back again, at least not without a config parameter to easily
disable/enable.
On Sun, Apr 17, 2011 at 8:41 AM, Jeff Trawick traw...@gmail.com wrote:
On Sat, Apr 16, 2011 at 3:39 PM, Daniel Ruggeri drugg...@primary.net
Bill, that is already good, but then the question still remains of
whether there is something that can be done disable/control/detect too
many handshakes from any given client (new or renegotiated). I'd love
to understand whether this is even a reasonable thing discuss, as I do
not have knowledge
On 4/16/2011 11:52 AM, Chris Hill wrote:
Dear Apache httpd dev list,
...
The reason why I insist in this is that the world has come to depend on
HTTP/SOAP over SSL (and Apache/OpenSSL are probably the most popular
implementation) for business critical apps, yet, it is not clear how
these
On 4/16/2011 2:39 PM, Daniel Ruggeri wrote:
On 4/16/2011 11:52 AM, Chris Hill wrote:
but how can I ensure this will never be turned back on in
future releases given the lack of configuration parameters?
Chris;
I believe this topic (enable/disable renegotiation) was brought up on this
would mod_reqtimeout step in after too many renegotiations had eaten
too much wall time?
2011/4/16 Chris Hill chris.hill...@gmail.com:
[...]
SSL handshakes take more processing power in the server side than on the
client side (some commented in the order of 15x more). This is great news
for attackers who want to take down a site and the work has already be done
for them through
