fredk2 wrote:
> Hi,
>
>
> Joe Orton wrote:
>> On Tue, Nov 10, 2009 at 03:19:39PM +0100, Jean-Marc Desperrier wrote:
>>> Joe Orton wrote:
>>>> On Fri, Nov 06, 2009 at 12:00:06AM +0000, Joe Orton wrote:
>>>>>> On Thu, Nov 05, 2009 at 09:31:00PM +0000, Joe Orton wrote:
>>>>>>> > * we can detect in mod_ssl when the client is renegotiating
by
>>>>>> using the
>>>>>>> > callback installed using SSL_CTX_set_info_callback(),
in
>>>>>> conjunction
>>>>>>> > with suitable flags in the SSLConnRec to detect the cases
where
>>>>>> this is
>>>>>>> > either a server-initiated renegotiation or the initial
handshake
>>>>>> on the
>>>>>>> > connection.
>>>>>> Here is a very rough first hack (for discussion/testing purposes
>>>>> only!):
>>>> A second hack, slightly less rough hack:
>>> Joe, instead of hard coding this, a very nice solution would be to have
>>> a new directive "SSLServerRenegociation Allow" or even more flexible
>>> "SSLRenegociation disabled/serveronly/enabled" with disabled as default
>>> value.
>> Yes, sure. What is possible in mod_ssl will depend on what interfaces
>> OpenSSL will expose for this, which is not yet clear.
>>
>> Regards, Joe
>>
>>
>
> Now that 0.9.8m-beta1 is available, what is likely to happen with Apache
> 2.2.15?
> I looked at the svn tree, but I could not see if anyone was working on
> adding this excellent idea for a new directive SSLRenegociation
> disabled/serveronly/enabled.
> If the server does not require renegotiation it seems perfect if the apache
> closed the connection upon receipt of the R instead of the current 5 min
> (default) timeout wait.
>
FYI the initial documentation is here:
http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html#SECURE_RENEGOTIATION
there are currently only two flags to set in an SSL/SSL_CTX structure. Though
servers might want to make use of SSL_get_secure_renegotiation_support() too.
Steve.
--
Dr Stephen N. Henson. Senior Technical/Cryptography Advisor,
Open Source Software Institute: www.oss-institute.org
OpenSSL Core team: www.openssl.org
|