httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <>
Subject Re: SSLRenegBufferSize
Date Tue, 03 May 2011 14:26:18 GMT
On Tue, May 03, 2011 at 09:39:56AM +0200, Dirk-Willem van Gulik wrote:
> Can anyone remember why SSLRenegBufferSize is set at 128k (131072 
> bytes) currently by default ?
> And if that is just an accidental default - or if deep thought has 
> gone into it ?

No deep thought, a fairly random number.

> And what are the specific things which are likely to break if it is 
> set significantly smaller* ?

If you have some part of your SSL vhost configured with more restrictive 
SSL parameters than the rest - e.g. SSLVerifyClient in <Location> 
context, a reneg is needed when going from the less-restrictive to 
more-restrictive part.  If the request used in that transition includes 
a body - e.g. a POST somewhere covered by that <Location> - the reneg 
buffer is needed to allow the SSL handshake to take place *after* the 
entire HTTP body has been read by the server.

Ideally sites should be structured to ensure this is never needed; make 
sure the first request to any more-restricted area is a GET.  In that 
case is it perfectly safe (even, advisable) to set SSLRenegBufferSize to 

Otherwise, "what breaks" will be any clients sending bodies larger than 
the configured limit in requests which trigger a per-dir reneg.

Regards, Joe

View raw message