Torsten Foertsch wrote:
If
your/authentication/ is a resource that generates a directory listing
via mod_autoindex then apache issues a subrequest for each directory
entry.
This is not what I was testing, but you are *very right* that there is
also that problem. I'll open a bug for it, maybe analyzes will show it's
just a duplicate of 48215, but for now technically it might be a
different issue.
> Now, if only/authentication/ requires a client certificate but
> the VHost or base server does not then each entry leads to a
> renegotiation.
Correct me if I am wrong but that is how I have
explained the behavior for me.
I don't know but anyway it's still a bug.
If the resolution of the SSL vulnerability had been to remove
renegociation altogether, it would not matter. But as renegociation will
still be there, bugs that affect renegociation should be solved.
