On Wed, Feb 03, 2010 at 12:44:45PM -0500, Eric Covener wrote:
> On Wed, Feb 3, 2010 at 12:09 PM, Joe Orton <[email protected]> wrote:
>
> > I considered logging a warning for each client which renegotiates
> > insecurely (whether due to lack of support on client or server), but,
> > that's likely to be very noisy.
>
> Any way to note the insecure renegotiation and save it long enough to
> be associated with a r->notes or subprocess_env?
>
> That would let you log it with IP and user-agent in access log (and
> help you convince yourself it might be safe to turn on strict
> renegotiation based on log analysis)
Nice idea, yes, that seems sensible. This seems to work:
Index: ssl_engine_kernel.c
===================================================================
--- ssl_engine_kernel.c (revision 906057)
+++ ssl_engine_kernel.c (working copy)
@@ -242,6 +242,15 @@ int ssl_hook_ReadReq(request_rec *r)
ssl_util_vhostid(r->pool, r->server));
}
+ apr_table_setn(r->notes, "ssl-secure-reneg",
+#ifdef SSL_get_secure_renegotiation_support
+ SSL_get_secure_renegotiation_support(ssl)
+ ? "1" : "0"
+#else
+ "0"
+#endif
+ );
+
/* SetEnvIf ssl-*-shutdown flags can only be per-server,
* so they won't change across keepalive requests
*/
