httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <>
Subject Re: TLS renegotiation attack, mod_ssl and OpenSSL
Date Wed, 27 Jan 2010 22:41:02 GMT
fredk2 wrote:
> Hi,
> Joe Orton wrote:
>> On Tue, Nov 10, 2009 at 03:19:39PM +0100, Jean-Marc Desperrier wrote:
>>> Joe Orton wrote:
>>>> On Fri, Nov 06, 2009 at 12:00:06AM +0000, Joe Orton wrote:
>>>>>>  On Thu, Nov 05, 2009 at 09:31:00PM +0000, Joe Orton wrote:
>>>>>>>  >  * we can detect in mod_ssl when the client is renegotiating
>>>>>> using the
>>>>>>>  >  callback installed using SSL_CTX_set_info_callback(),
>>>>>> conjunction
>>>>>>>  >  with suitable flags in the SSLConnRec to detect the cases
>>>>>> this is
>>>>>>>  >  either a server-initiated renegotiation or the initial
>>>>>> on the
>>>>>>>  >  connection.
>>>>>>  Here is a very rough first hack (for discussion/testing purposes
>>>>> only!):
>>>> A second hack, slightly less rough hack:
>>> Joe, instead of hard coding this, a very nice solution would be to have  
>>> a new directive "SSLServerRenegociation Allow" or even more flexible  
>>> "SSLRenegociation disabled/serveronly/enabled" with disabled as default  
>>> value.
>> Yes, sure.  What is possible in mod_ssl will depend on what interfaces 
>> OpenSSL will expose for this, which is not yet clear.
>> Regards, Joe
> Now that 0.9.8m-beta1 is available, what is likely to happen with Apache
> 2.2.15?
> I looked at the svn tree, but I could not see if anyone was working on
> adding this excellent idea for a new directive SSLRenegociation
> disabled/serveronly/enabled.
> If the server does not require renegotiation it seems perfect if the apache
> closed the connection upon receipt of the R instead of the current 5 min
> (default) timeout wait.

FYI the initial documentation is here:

there are currently only two flags to set in an SSL/SSL_CTX structure. Though
servers might want to make use of SSL_get_secure_renegotiation_support() too.

Dr Stephen N. Henson. Senior Technical/Cryptography Advisor,
Open Source Software Institute:
OpenSSL Core team:

View raw message