httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: SSLRenegBufferSize
Date Tue, 03 May 2011 14:26:18 GMT
On Tue, May 03, 2011 at 09:39:56AM +0200, Dirk-Willem van Gulik wrote:
> Can anyone remember why SSLRenegBufferSize is set at 128k (131072 
> bytes) currently by default ?
> 
> And if that is just an accidental default - or if deep thought has 
> gone into it ?

No deep thought, a fairly random number.

> And what are the specific things which are likely to break if it is 
> set significantly smaller* ?

If you have some part of your SSL vhost configured with more restrictive 
SSL parameters than the rest - e.g. SSLVerifyClient in <Location> 
context, a reneg is needed when going from the less-restrictive to 
more-restrictive part.  If the request used in that transition includes 
a body - e.g. a POST somewhere covered by that <Location> - the reneg 
buffer is needed to allow the SSL handshake to take place *after* the 
entire HTTP body has been read by the server.

Ideally sites should be structured to ensure this is never needed; make 
sure the first request to any more-restricted area is a GET.  In that 
case is it perfectly safe (even, advisable) to set SSLRenegBufferSize to 
zero.

Otherwise, "what breaks" will be any clients sending bodies larger than 
the configured limit in requests which trigger a per-dir reneg.

Regards, Joe

Mime
View raw message