On Tue, Feb 9, 2010 at 7:46 AM, <jor...@apache.org> wrote: > Author: jorton > Date: Tue Feb 9 12:46:17 2010 > New Revision: 908015 > > URL: http://svn.apache.org/viewvc?rev=908015&view=rev > Log: > * modules/ssl/ssl_engine_config.c (ssl_cmd_SSLInsecureRenegotiation): > Tweak error wording for when the directive is not supported. > > Modified: > httpd/httpd/trunk/modules/ssl/ssl_engine_config.c > > Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=908015&r1=908014&r2=908015&view=diff > ============================================================================== > --- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original) > +++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Tue Feb 9 12:46:17 2010 > @@ -637,7 +637,8 @@ > sc->insecure_reneg = flag?TRUE:FALSE; > return NULL; > #else > - return "SSLInsecureRenegotiation is not supported by the SSL library"; > + return "Secure renegotation is not supported by the SSL library; " > + "the SSLInsecureRenegotiation directive is not available"; > #endif > }
Besides losing 5 points for spelling, is it worth punting as much as possible to the docs? Some poor sysadmin told to add "SSLInsecureRenegotiation Off" everywhere just to be safe encounters some box with older OpenSSL and sees "Secure renegotiation is not supported by the SSL library", which is really besides the point. OpenSSL 0.9.8k and below: * This directive is not available. * Only insecure (legacy) renegotiation is supported. It can only be disabled by changing the mod_ssl configuration XXXX. * For affected configurations, SSL connections will be vulnerable to the Man-in-the-Middle prefix attack as described in CVE-2009-3555. OpenSSL 0.9.8l: * This directive is not available. * No renegotiation, secure or insecure (legacy), is supported. * SSL connections will not be vulnerable to the Man-in-the-Middle prefix attack as described in CVE-2009-3555, but some mod_ssl configurations XXXXX. OpenSSL 0.9.8m and above: * This directive is available to enable insecure (legacy) renegotiation, if absolutely necessary. * Secure renegotiation is supported. * For affected configurations, if this directive is enabled to allow legacy, insecure renegotiation, SSL connections will be vulnerable to the Man-in-the-Middle prefix attack as described in CVE-2009-3555.
