httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <>
Subject Re: svn commit: r906039 - in /httpd/httpd/trunk/modules/ssl: mod_ssl.c ssl_engine_config.c ssl_engine_init.c ssl_engine_kernel.c ssl_private.h
Date Wed, 03 Feb 2010 21:33:23 GMT
On 2/3/2010 3:18 PM, Joe Orton wrote:
> On Wed, Feb 03, 2010 at 12:44:45PM -0500, Eric Covener wrote:
>> On Wed, Feb 3, 2010 at 12:09 PM, Joe Orton <> wrote:
>>> I considered logging a warning for each client which renegotiates
>>> insecurely (whether due to lack of support on client or server), but,
>>> that's likely to be very noisy.
>> Any way to note the insecure renegotiation and save it long enough to
>> be associated with a r->notes or subprocess_env?
>> That would let you log it with IP and user-agent in access log (and
>> help you convince yourself it might be safe to turn on strict
>> renegotiation based on log analysis)
> Nice idea, yes, that seems sensible.  This seems to work:

How would this work if the renegotiation occurred after the request
was actually sent?  [And of course, once the MITM is injected, you have
no trust of the chain of authority].

I can see a value in allow-from {trusted IP pool}.  But not sure this
really helps, since it doesn't limit the renegotiation, it limits the
request acceptance.

View raw message