On 4/16/2011 11:52 AM, Chris Hill wrote:
Dear Apache httpd dev list,
...
The reason why I insist in this is that the world has come to depend on
HTTP/SOAP over SSL (and Apache/OpenSSL are probably the most popular
implementation) for business critical apps, yet, it is not clear how
these businesses can play around with configuration parameters to fine
tune these SSL settings to their specific needs, e.g. *ensure client
side renegs can be disabled* or at least,*provide a way of limiting how
many of these a client initiated re-negotiations (or initial handshakes)
a server will allow per second for a specific connection/IP*. It is
great that recent Apache builds disable client initiated renegotiation
by default, but how can I ensure this will never be turned back on in
future releases given the lack of configuration parameters?
Chris;
I believe this topic (enable/disable renegotiation) was brought up
on this list just a matter of days ago. I don't recall seeing a
consensus, but I would agree that a configuration parameter to
(dis)allow client-initiated renegotiation would be a Very Good Thing. I
don't think this would be very difficult to implement - and would be a
good start to correct the issues you call out.
--
--
Daniel Ruggeri
