httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: TLS renegotiation attack, mod_ssl and OpenSSL
Date Thu, 05 Nov 2009 17:32:21 GMT
On Thu, Nov 05, 2009 at 03:39:06PM +0000, Ben Laurie wrote:
> Joe Orton wrote:
> > In the short term, I think it would be useful to have a new SSL_OP_* 
> > flag which enables rejection of a client-initiated handshake in an SSL 
> > server.  This will fix the issue for 90% of sites without breaking the 
> > remaining 10% (case 3 above), and is a change that can be deployed 
> > everywhere.
> 
> Case 3 is vulnerable to attack, though, so I'm afraid you want to break it.

Sites depend on per-dir-reneg and people will simply not upgrade if we 
break that - I have tried the "don't do that" response for per-dir-reneg 
issues enough times over the years that I'm reasonably confident of 
this.  (Also I'm told that the Postgres SSL support depends on being 
able to do a periodic reneg, in the wider context)

Being able to ship a 90% solution now and working on the proper fixes 
for the remaining 10% is valuable, I think.

Regards, Joe


Mime
View raw message