httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Akshar Kanak <>
Subject [users@httpd] [mod_ssl] enforcing SSL renegotiation for AES-GCM based cipher suites
Date Mon, 13 Mar 2017 17:14:40 GMT
Dear team
     In mod_ssl is there any option to enforce SSL renegotiation after
certain amount of data has been transfered on SSL connection .
     If we are using cipher suite which has AES-GCM as encryption algorithm
, then its required that when the counter overlaps or overflows then
 SSL renegotiation should happen .
     In AES-GCM the final counter is
     [4 bytes salt which is negotiated between client and serevr ]
     [8 bytes of random bytes which are generated for the first time using
RAND_bytes (nonce_explicit).
      It is incremented for each TLS packet]
     [32 bit counter ]

    After 2^64 packets nonce_explicit will overlap or overflow (its
practically not possible but theoritically possible ).
    Openssl is not handling this case .

    Can mod_ssl handle this case ?

    Thanks and regards

View raw message