httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <>
Subject Re: Server Gated Certs (Was: TLS renegotiation attack, mod_ssl and OpenSSL)
Date Fri, 06 Nov 2009 02:00:47 GMT
Andrews, Rick wrote:

> But I suppose you'll need to locate an old international browser that
> does step up, right? Most modern browsers will start with strong crypto
> and don't need to step up.

What we really need is 1) a pub/priv key pair of such a cert* (or use 
attached CSR) of some random domain (ideally expired and with a totally 
bogus CN valye so we can post the private key publicly) and 2) obviously 
a browser which support this (but that we can handle).

As we need to plug it into Joe his patched apache to see if it will 
still allow that initial re-negotation; but block later re-negotiaion.


*: Unless someone can tell me how to make the right thing
    with openssl; I cannot figure out how to do the extension
    file right - and thing it is not an option.

View raw message