On Wed, Feb 03, 2010 at 11:51:16AM -0500, Dan Poirier wrote: > How about logging a dire warning during startup if insecure > renegotiation has been enabled?
Hmmm, I'm not sure. If the user has configured this it seems slightly patronising to then berate them for doing so. Also, why log in the case that the directive is supported and enabled, but not the case where the directive is unsupported because OpenSSL is too old? In either case reneg is (or may be) insecure. I considered logging a warning for each client which renegotiates insecurely (whether due to lack of support on client or server), but, that's likely to be very noisy. Regards, Joe
