Example

Return-Path: Delivered-To: apmail-httpd-cvs-archive@www.apache.org Received: (qmail 46637 invoked from network); 3 Feb 2010 14:31:08 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 3 Feb 2010 14:31:08 -0000 Received: (qmail 49526 invoked by uid 500); 3 Feb 2010 14:31:08 -0000 Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 49428 invoked by uid 500); 3 Feb 2010 14:31:08 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 49419 invoked by uid 99); 3 Feb 2010 14:31:08 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Feb 2010 14:31:08 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Feb 2010 14:30:59 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id CC11323889DD; Wed, 3 Feb 2010 14:30:37 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r906067 - /httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Date: Wed, 03 Feb 2010 14:30:37 -0000 To: cvs@httpd.apache.org From: jorton@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20100203143037.CC11323889DD@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: jorton Date: Wed Feb 3 14:30:37 2010 New Revision: 906067 URL: http://svn.apache.org/viewvc?rev=906067&view=rev Log: * mod_ssl.xml: Document the SSL_SECURE_RENEG envvar, and SSLInsecureRenegotiation. Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=906067&r1=906066&r2=906067&view=diff ============================================================================== --- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original) +++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Wed Feb 3 14:30:37 2010 @@ -62,6 +62,7 @@ SSL_PROTOCOL string The SSL protocol version (SSLv2, SSLv3, TLSv1) SSL_SESSION_ID string The hex-encoded SSL session id SSL_SESSION_RESUMED string Initial or Resumed SSL Session. Note: multiple requests may be served over the same (Initial or Resumed) SSL session if HTTP KeepAlive is in use +SSL_SECURE_RENEG string true if secure renegotiation is supported, else false SSL_CIPHER string The cipher specification name SSL_CIPHER_EXPORT string true if cipher is an export cipher SSL_CIPHER_USEKEYSIZE number Number of cipher bits (actually used) @@ -1773,4 +1774,37 @@ + +SSLInsecureRenegotiation +Option to enable support for insecure renegotiation +SSLInsecureRenegotiation flag +server config +virtual host +Available in httpd 2.3 and later, if using OpenSSL 1.0.0 Beta 5 or later + + +

As originally specified, all versions of the SSL and TLS protocols +(up to and including TLS/1.2) were vulnerable to a Man-in-the-Middle +attack +(CVE-2009-3555) +during a renegotiation. This vulnerability allowed an attacker to +"prefix" a chosen plaintext to the HTTP request as seen by the web +server. A protocol extension was developed which fixed this +vulnerability if supported by both client and server.

+ +

If mod_ssl is linked against OpenSSL version 1.0.0 +Beta 5 or later, by default renegotiation is only supported with +clients supporting the new protocol extension. If this directive is +enabled, renegotiation will be allowed with old (unpatched) clients. +SSL connections will be vulnerable to the prefix attack as described +above if this directive is enabled. The SSL_SECURE_RENEG +variable can be used to determine whether secure renegotiation is +supported for a given SSL connection.

+ +Example +SSLInsecureRenegotiation on + + + +