httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: svn commit: r906039 - in /httpd/httpd/trunk/modules/ssl: mod_ssl.c ssl_engine_config.c ssl_engine_init.c ssl_engine_kernel.c ssl_private.h
Date Wed, 03 Feb 2010 21:18:26 GMT
On Wed, Feb 03, 2010 at 12:44:45PM -0500, Eric Covener wrote:
> On Wed, Feb 3, 2010 at 12:09 PM, Joe Orton <jorton@redhat.com> wrote:
> 
> > I considered logging a warning for each client which renegotiates
> > insecurely (whether due to lack of support on client or server), but,
> > that's likely to be very noisy.
> 
> Any way to note the insecure renegotiation and save it long enough to
> be associated with a r->notes or subprocess_env?
> 
> That would let you log it with IP and user-agent in access log (and
> help you convince yourself it might be safe to turn on strict
> renegotiation based on log analysis)

Nice idea, yes, that seems sensible.  This seems to work:

Index: ssl_engine_kernel.c
===================================================================
--- ssl_engine_kernel.c	(revision 906057)
+++ ssl_engine_kernel.c	(working copy)
@@ -242,6 +242,15 @@ int ssl_hook_ReadReq(request_rec *r)
                      ssl_util_vhostid(r->pool, r->server));
     }
 
+    apr_table_setn(r->notes, "ssl-secure-reneg", 
+#ifdef SSL_get_secure_renegotiation_support
+                   SSL_get_secure_renegotiation_support(ssl)
+                   ? "1" : "0"
+#else
+                   "0"
+#endif
+        );
+
     /* SetEnvIf ssl-*-shutdown flags can only be per-server,
      * so they won't change across keepalive requests
      */

Mime
View raw message