Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 86467 invoked from network); 14 Apr 2011 09:41:34 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 14 Apr 2011 09:41:34 -0000 Received: (qmail 39659 invoked by uid 500); 14 Apr 2011 09:41:34 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 39481 invoked by uid 500); 14 Apr 2011 09:41:33 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 39473 invoked by uid 99); 14 Apr 2011 09:41:32 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 Apr 2011 09:41:32 +0000 X-ASF-Spam-Status: No, hits=0.7 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [64.202.165.37] (HELO smtpauth13.prod.mesa1.secureserver.net) (64.202.165.37) by apache.org (qpsmtpd/0.29) with SMTP; Thu, 14 Apr 2011 09:41:23 +0000 Received: (qmail 12561 invoked from network); 14 Apr 2011 09:41:01 -0000 Received: from unknown (76.252.112.72) by smtpauth13.prod.mesa1.secureserver.net (64.202.165.37) with ESMTP; 14 Apr 2011 09:41:01 -0000 Message-ID: <4DA6C12D.2020408@rowe-clan.net> Date: Thu, 14 Apr 2011 04:41:01 -0500 From: "William A. Rowe Jr." User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.15) Gecko/20110303 Lightning/1.0b2 Thunderbird/3.1.9 MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: Fwd: Client Initiated Renegotiation after 0.9.8l References: <4DA6B6FC.7010704@rowe-clan.net> <20110414092834.GA5142@redhat.com> In-Reply-To: <20110414092834.GA5142@redhat.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org On 4/14/2011 4:28 AM, Joe Orton wrote: > > If it's true that IIS also rejects client-initiated reneg (per claim in > that thread), I'd say there is no imperative to change mod_ssl's > behaviour from an interop perspective. > > You can argue for "correctness"; the protocol allows a client-initiated > reneg, so why should mod_ssl disable it? I don't find that terribly > compelling; reneg and HTTP over SSL is a conceptual mess, and a > significant proportion of the security issues in mod_ssl have been > reneg-related (though maybe that sounds FUDdish). As another data point, Tomcat https connector never really supported renegotiation until the eve of CVE 2009-3555, IIRC (talk about timing ;-) Thanks for the thread pointer. It seems like our directive is a serious misnomer, if it is required to enable either legacy or new renegotiation. Before 2.2.18, it seems prudent to make this a tristate (legacy or modern, modern only, or none) and support it again, even if the default is a safe 'none' value. Of course the very advisability of unilaterally trusting CAs has been in question for some time now, so to suggest we are protecting users by disabling any renegotiation seems like a small worry ;-)