On Thu, Nov 05, 2009 at 09:38:23PM +0100, Ruediger Pluem wrote: > If server triggered renegotiation will not work at all, people will just > ignore the > update or remove it from 0.9.8l in their self patched versions. > So overall I guess we would be safer with an approach that > > 1. Turns off renegotiation (server and client) by default. > 2. Allows to turn on server and client triggered renegotiation in a way as > proposed > by Joe. > 3. Allow to turn on server triggered renegotiation by a compile time option.
In discussion here, Theo Schlossnagle has suggested (and implemented for another SSL server) an approach for (2) which I think we can use for mod_ssl, and doesn't require patching OpenSSL: * we can detect in mod_ssl when the client is renegotiating by using the callback installed using SSL_CTX_set_info_callback(), in conjunction with suitable flags in the SSLConnRec to detect the cases where this is either a server-initiated renegotiation or the initial handshake on the connection. I'll try a patch for this. Regards, Joe