httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From fredk2 <fre...@gmail.com>
Subject Re: TLS renegotiation attack, mod_ssl and OpenSSL
Date Tue, 26 Jan 2010 20:05:21 GMT

Hi,


Joe Orton wrote:
> 
> On Tue, Nov 10, 2009 at 03:19:39PM +0100, Jean-Marc Desperrier wrote:
>> Joe Orton wrote:
>>> On Fri, Nov 06, 2009 at 12:00:06AM +0000, Joe Orton wrote:
>>>> >  On Thu, Nov 05, 2009 at 09:31:00PM +0000, Joe Orton wrote:
>>>>> >  >  * we can detect in mod_ssl when the client is renegotiating
by
>>>>> using the
>>>>> >  >  callback installed using SSL_CTX_set_info_callback(), in
>>>>> conjunction
>>>>> >  >  with suitable flags in the SSLConnRec to detect the cases
where
>>>>> this is
>>>>> >  >  either a server-initiated renegotiation or the initial handshake
>>>>> on the
>>>>> >  >  connection.
>>>> >
>>>> >  Here is a very rough first hack (for discussion/testing purposes
>>>> only!):
>>> A second hack, slightly less rough hack:
>>
>> Joe, instead of hard coding this, a very nice solution would be to have  
>> a new directive "SSLServerRenegociation Allow" or even more flexible  
>> "SSLRenegociation disabled/serveronly/enabled" with disabled as default  
>> value.
> 
> Yes, sure.  What is possible in mod_ssl will depend on what interfaces 
> OpenSSL will expose for this, which is not yet clear.
> 
> Regards, Joe
> 
> 

Now that 0.9.8m-beta1 is available, what is likely to happen with Apache
2.2.15?
I looked at the svn tree, but I could not see if anyone was working on
adding this excellent idea for a new directive SSLRenegociation
disabled/serveronly/enabled.
If the server does not require renegotiation it seems perfect if the apache
closed the connection upon receipt of the R instead of the current 5 min
(default) timeout wait.

Thank you - Fred
-- 
View this message in context: http://old.nabble.com/TLS-renegotiation-attack%2C-mod_ssl-and-OpenSSL-tp26215127p27328884.html
Sent from the Apache HTTP Server - Dev mailing list archive at Nabble.com.


Mime
View raw message