httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Montague <m...@catseye.org>
Subject Re: [users@httpd] Disabling client initiated renegotiation
Date Sat, 09 Apr 2011 23:37:46 GMT
  On April 9, 2011 18:00 , Chris Hill <chris.hillsec@gmail.com>  wrote:
> My company relies on Apache for a number of customer facing sites. 
> What's a reliable way to disable client initiated renegotiation (both 
> secure and insecure renegotiation)?. I know one specific openssl 
> library (l) disables this, but then later ones enable "secure" 
> renegotiation, which we need to disable.
>
> Ideally, I'd like a solution through an configuration parameter so 
> that future versions/upgrades do not re-enable renegotiation.

I don't have an answer for you, but, out of curiosity, why do you need 
to disable SSL 3.0 / TLS renegotiation?  If a client initiates a 
renegotiation, is this bad in some way?  Obviously, you trusted the 
client during the initial negotiation/handshake.

--
   Mark Montague
   mark@catseye.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message