httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Marc Desperrier <jmd...@free.fr>
Subject Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l
Date Wed, 18 Nov 2009 13:34:08 GMT
Dr Stephen Henson wrote:
> Jean-Marc Desperrier wrote:
>> Joe Orton wrote:
>>> Please file a bug and attach all of:
>>>
>>> a) error_log output at "LogLevel debug" for that case
>>> b) the config snipping that you're using for /authentication
>>> c) the mod_ssl configuration
>>
>> This is now done in bug
>> https://issues.apache.org/bugzilla/show_bug.cgi?id=48215
>>
>> error.log might have enough info to understand what happens, but I
>> included everything else needed to repro from scratch.
>
> What happens with the latest 0.9.8-stable version of OpenSSL?

Stephen, what result do you expect from this ?
Does the latest 0.9.8-stable already implement safe renegociation ? But 
I'd need a version of Firefox that implement it for testing (I'll try to 
get that from Nelson).

If renegociation is simply disabled, this case will simply fail as expected.
It's not a case of mod_ssl starting renegotiation where *none* is required.
Some comments imply that one also happens sometimes but I don't know if 
it's true as I don't know how precisely to reproduce it.
But I won't exclude it given how easy it is to fall into the problem of 
mod_ssl requiring more renegotiations than really needed.

Mime
View raw message