httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: svn commit: r906039 - in /httpd/httpd/trunk/modules/ssl: mod_ssl.c ssl_engine_config.c ssl_engine_init.c ssl_engine_kernel.c ssl_private.h
Date Wed, 03 Feb 2010 17:09:50 GMT
On Wed, Feb 03, 2010 at 11:51:16AM -0500, Dan Poirier wrote:
> How about logging a dire warning during startup if insecure
> renegotiation has been enabled?

Hmmm, I'm not sure.  If the user has configured this it seems slightly 
patronising to then berate them for doing so.  Also, why log in the case 
that the directive is supported and enabled, but not the case where the 
directive is unsupported because OpenSSL is too old?  In either case 
reneg is (or may be) insecure.

I considered logging a warning for each client which renegotiates 
insecurely (whether due to lack of support on client or server), but, 
that's likely to be very noisy.

Regards, Joe


Mime
View raw message