httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <>
Subject Re: [vote] release 2.2.15?
Date Wed, 03 Mar 2010 23:29:52 GMT
On Wed, Mar 03, 2010 at 10:40:34PM +0000, Dr Stephen Henson wrote:
> Joe Orton wrote:
> > On Wed, Mar 03, 2010 at 06:31:36PM +0000, Dr Stephen Henson wrote:
> > 
> >> Note that you don't need to abort if secure renegotiation is supported 
> >> by the client.
> > 
> > Is there any technical need to support client-initiated reneg?  It's a 
> > bad fit with mod_ssl.
> > 
> It has been reported that some clients (not OpenSSL based unless the application
> explicitly requests it) do renegotiate periodically. In one case sending back
> the no renegotiation alert to an unpatched client (*definitely* not OpenSSL
> based) meant the connection continued correctly.

Was this an HTTP client, do you have a reference for that?  I was only 
aware of use of SSL for protocols other than HTTP for which there were 
known cases of client-initiated reneg.

> I've no idea how widespread this is though. It's something which just 
> "worked" before and there'd be no reason to notice it.

For mod_ssl, e.g. I don't think things like SSLCipherSuite will be 
enforced correctly for a client-initated reneg which didn't involve a 
client cert request; there's no callback into mod_ssl to check it.  So 
I'm fairly happy with refusing client-initiated reneg regardless.

Regards, Joe

View raw message