httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Montague <>
Subject Re: [users@httpd] Disabling client initiated renegotiation
Date Sat, 09 Apr 2011 23:37:46 GMT
  On April 9, 2011 18:00 , Chris Hill <>  wrote:
> My company relies on Apache for a number of customer facing sites. 
> What's a reliable way to disable client initiated renegotiation (both 
> secure and insecure renegotiation)?. I know one specific openssl 
> library (l) disables this, but then later ones enable "secure" 
> renegotiation, which we need to disable.
> Ideally, I'd like a solution through an configuration parameter so 
> that future versions/upgrades do not re-enable renegotiation.

I don't have an answer for you, but, out of curiosity, why do you need 
to disable SSL 3.0 / TLS renegotiation?  If a client initiates a 
renegotiation, is this bad in some way?  Obviously, you trusted the 
client during the initial negotiation/handshake.

   Mark Montague

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message