From dev-return-66973-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org Wed Nov 18 13:36:22 2009 Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 47261 invoked from network); 18 Nov 2009 13:36:22 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 18 Nov 2009 13:36:22 -0000 Received: (qmail 57160 invoked by uid 500); 18 Nov 2009 13:36:21 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 57085 invoked by uid 500); 18 Nov 2009 13:36:21 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 57076 invoked by uid 99); 18 Nov 2009 13:36:21 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 18 Nov 2009 13:36:21 +0000 X-ASF-Spam-Status: No, hits=-2.2 required=5.0 tests=AWL,BAYES_00 X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [213.41.78.208] (HELO smtp-ft4.fr.colt.net) (213.41.78.208) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 18 Nov 2009 13:36:18 +0000 Received: from smtp-ex1.fr.colt.net (smtp-ex1.fr.colt.net [213.41.78.194]) by smtp-ft4.fr.colt.net (8.14.3/8.14.3/Debian-5) with ESMTP id nAIDZswX011158; Wed, 18 Nov 2009 14:35:55 +0100 Received: from host.104.92.68.195.rev.coltfrance.com ([195.68.92.104] helo=[172.30.24.37]) by smtp-ex1.fr.colt.net with esmtp (Exim) (envelope-from ) id 1NAkhP-0002wX-2v; Wed, 18 Nov 2009 14:35:56 +0100 Message-ID: <4B03F7D0.1010202@free.fr> Date: Wed, 18 Nov 2009 14:34:08 +0100 From: Jean-Marc Desperrier User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.6pre) Gecko/20091116 SeaMonkey/2.0.1pre MIME-Version: 1.0 To: dev@httpd.apache.org CC: Dr Stephen Henson , jorton@redhat.com Subject: Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l References: <4AF988B2.1000808@free.fr> <200911152253.05879.sf@sfritsch.de> <4B0144F7.5040908@free.fr> <4B01A630.7080007@free.fr> <20091116201307.GA18036@redhat.com> <4B02F897.90904@free.fr> <4B02FA15.5070507@oss-institute.org> In-Reply-To: <4B02FA15.5070507@oss-institute.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Warning: IP [195.68.92.104] is listed at dnsbl.sorbs.net (127.0.0.10: Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?195.68.92.104) X-ACL-Warn: 3/3 recipients OK. Dr Stephen Henson wrote: > Jean-Marc Desperrier wrote: >> Joe Orton wrote: >>> Please file a bug and attach all of: >>> >>> a) error_log output at "LogLevel debug" for that case >>> b) the config snipping that you're using for /authentication >>> c) the mod_ssl configuration >> >> This is now done in bug >> https://issues.apache.org/bugzilla/show_bug.cgi?id=48215 >> >> error.log might have enough info to understand what happens, but I >> included everything else needed to repro from scratch. > > What happens with the latest 0.9.8-stable version of OpenSSL? Stephen, what result do you expect from this ? Does the latest 0.9.8-stable already implement safe renegociation ? But I'd need a version of Firefox that implement it for testing (I'll try to get that from Nelson). If renegociation is simply disabled, this case will simply fail as expected. It's not a case of mod_ssl starting renegotiation where *none* is required. Some comments imply that one also happens sometimes but I don't know if it's true as I don't know how precisely to reproduce it. But I won't exclude it given how easy it is to fall into the problem of mod_ssl requiring more renegotiations than really needed.