httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jor...@apache.org
Subject svn commit: r906454 - /httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
Date Thu, 04 Feb 2010 11:25:54 GMT
Author: jorton
Date: Thu Feb  4 11:25:54 2010
New Revision: 906454

URL: http://svn.apache.org/viewvc?rev=906454&view=rev
Log:
* docs/manual/mod/mod_ssl.xml: Warn more clearly about
the security impact of SSLInsecureRenegotiation.

Modified:
    httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml

Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=906454&r1=906453&r2=906454&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Thu Feb  4 11:25:54 2010
@@ -1781,6 +1781,7 @@
 <contextlist><context>server config</context>
 <context>virtual host</context></contextlist>
 <compatibility>Available in httpd 2.3 and later, if using OpenSSL 1.0.0 Beta 5 or later</compatibility>
+<default>SSLInsecureRenegotiation off</default>
 
 <usage>
 <p>As originally specified, all versions of the SSL and TLS protocols
@@ -1795,15 +1796,23 @@
 <p>If <module>mod_ssl</module> is linked against OpenSSL version 1.0.0
 Beta 5 or later, by default renegotiation is only supported with
 clients supporting the new protocol extension.  If this directive is
-enabled, renegotiation will be allowed with old (unpatched) clients.
-SSL connections will be vulnerable to the prefix attack as described
-above if this directive is enabled.  The <code>SSL_SECURE_RENEG</code>
-variable can be used to determine whether secure renegotiation is
-supported for a given SSL connection.</p>
+enabled, renegotiation will be allowed with old (unpatched) clients,
+albeit insecurely.</p>
+
+<note type="warning"><title>Security warning</title>
+<p>If this directive is enabled, SSL connections will be vulnerable to
+the Man-in-the-Middle prefix attack as described
+in <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555">CVE-2009-3555</a>.</p>
+</note>
 
 <example><title>Example</title>
 SSLInsecureRenegotiation on
 </example>
+
+<p>The <code>SSL_SECURE_RENEG</code> environment variable can be used
+from an SSI or CGI script to determine whether secure renegotiation is
+supported for a given SSL connection.</p>
+
 </usage>
 </directivesynopsis>
 



Mime
View raw message