httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Marc Desperrier <>
Subject Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l
Date Wed, 18 Nov 2009 13:41:00 GMT
Torsten Foertsch wrote:
> If
> your/authentication/  is a resource that generates a directory listing
> via mod_autoindex then apache issues a subrequest for each directory
> entry.

This is not what I was testing, but you are *very right* that there is 
also that problem. I'll open a bug for it, maybe analyzes will show it's 
just a duplicate of 48215, but for now technically it might be a 
different issue.

 > Now, if only/authentication/  requires a client certificate but
 > the VHost or base server does not then each entry leads to a
 > renegotiation.
> Correct me if I am wrong but that is how I have
> explained the behavior for me.

I don't know but anyway it's still a bug.

If the resolution of the SSL vulnerability had been to remove 
renegociation altogether, it would not matter. But as renegociation will 
still be there, bugs that affect renegociation should be solved.

View raw message