On Sat, Apr 16, 2011 at 3:39 PM, Daniel Ruggeri <drugg...@primary.net> wrote: > On 4/16/2011 11:52 AM, Chris Hill wrote: >> >> Dear Apache httpd dev list, >> ... >> The reason why I insist in this is that the world has come to depend on >> HTTP/SOAP over SSL (and Apache/OpenSSL are probably the most popular >> implementation) for business critical apps, yet, it is not clear how >> these businesses can play around with configuration parameters to fine >> tune these SSL settings to their specific needs, e.g. *ensure client >> side renegs can be disabled* or at least,*provide a way of limiting how >> many of these a client initiated re-negotiations (or initial handshakes) >> a server will allow per second for a specific connection/IP*. It is >> great that recent Apache builds disable client initiated renegotiation >> by default, but how can I ensure this will never be turned back on in >> future releases given the lack of configuration parameters? >> > > Chris; > I believe this topic (enable/disable renegotiation) was brought up on this > list just a matter of days ago. I don't recall seeing a consensus, but I > would agree that a configuration parameter to (dis)allow client-initiated > renegotiation would be a Very Good Thing. I don't think this would be very > difficult to implement - and would be a good start to correct the issues you > call out.
I thought client-initiated renegotiation was already disabled out of the box, with no configuration mechanism to re-enable. >From ssl_engine_kernel.c, 2.2.x-latest: /* If the first handshake is complete, change state to reject any * subsequent client-initated renegotiation. */ else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == RENEG_INIT) { scr->reneg_state = RENEG_REJECT; }