httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions
Date Mon, 09 Nov 2009 19:45:46 GMT

--- Comment #44 from Ruediger Pluem <> 2009-11-09 12:45:37 CET ---
(In reply to comment #43)
> Ruediger, 
> 1. does the config still vulnerable if user redirects to
> "/mihailp1/www-secure/s" only after double authentication by soft
> (password-pin)?


> 2. why *this* config vulnerable if i disable renegotiation initiated by client?

Server triggered renegotiations have the same problems as client triggered
renegotiations. The only difference is that the MIM needs to know a request a
URL from the server that triggers server triggered renegotiation in contrast to
the client driven renegotiation where the client can decide this at will.
The only way to make your configuration safe is to move

    SSLVerifyDepth 3
    SSLVerifyClient require
    SSLOptions +OptRenegotiate

on the virtual host level and thus protect the whole virtual host.

For more details see:

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message