httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Ruggeri <>
Subject Re: SSL related DoS
Date Sat, 16 Apr 2011 19:39:26 GMT
On 4/16/2011 11:52 AM, Chris Hill wrote:
> Dear Apache httpd dev list,
> ...
> The reason why I insist in this is that the world has come to depend on
> HTTP/SOAP over SSL (and Apache/OpenSSL are probably the most popular
> implementation) for business critical apps, yet, it is not clear how
> these businesses can play around with configuration parameters to fine
> tune these SSL settings to their specific needs, e.g. *ensure client
> side renegs can be disabled* or at least,*provide a way of limiting how
> many of these a client initiated re-negotiations (or initial handshakes)
> a server will allow per second for a specific connection/IP*. It is
> great that recent Apache builds disable client initiated renegotiation
> by default, but how can I ensure this will never be turned back on in
> future releases given the lack of configuration parameters?

    I believe this topic (enable/disable renegotiation) was brought up 
on this list just a matter of days ago. I don't recall seeing a 
consensus, but I would agree that a configuration parameter to 
(dis)allow client-initiated renegotiation would be a Very Good Thing. I 
don't think this would be very difficult to implement - and would be a 
good start to correct the issues you call out.

Daniel Ruggeri

View raw message