httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: TLS renegotiation attack, mod_ssl and OpenSSL
Date Tue, 10 Nov 2009 14:25:30 GMT
On Tue, Nov 10, 2009 at 03:19:39PM +0100, Jean-Marc Desperrier wrote:
> Joe Orton wrote:
>> On Fri, Nov 06, 2009 at 12:00:06AM +0000, Joe Orton wrote:
>>> >  On Thu, Nov 05, 2009 at 09:31:00PM +0000, Joe Orton wrote:
>>>> >  >  * we can detect in mod_ssl when the client is renegotiating by
using the
>>>> >  >  callback installed using SSL_CTX_set_info_callback(), in conjunction
>>>> >  >  with suitable flags in the SSLConnRec to detect the cases where
this is
>>>> >  >  either a server-initiated renegotiation or the initial handshake
on the
>>>> >  >  connection.
>>> >
>>> >  Here is a very rough first hack (for discussion/testing purposes only!):
>> A second hack, slightly less rough hack:
>
> Joe, instead of hard coding this, a very nice solution would be to have  
> a new directive "SSLServerRenegociation Allow" or even more flexible  
> "SSLRenegociation disabled/serveronly/enabled" with disabled as default  
> value.

Yes, sure.  What is possible in mod_ssl will depend on what interfaces 
OpenSSL will expose for this, which is not yet clear.

Regards, Joe

Mime
View raw message