On Tue, May 03, 2011 at 09:39:56AM +0200, Dirk-Willem van Gulik wrote: > Can anyone remember why SSLRenegBufferSize is set at 128k (131072 > bytes) currently by default ? > > And if that is just an accidental default - or if deep thought has > gone into it ?
No deep thought, a fairly random number. > And what are the specific things which are likely to break if it is > set significantly smaller* ? If you have some part of your SSL vhost configured with more restrictive SSL parameters than the rest - e.g. SSLVerifyClient in <Location> context, a reneg is needed when going from the less-restrictive to more-restrictive part. If the request used in that transition includes a body - e.g. a POST somewhere covered by that <Location> - the reneg buffer is needed to allow the SSL handshake to take place *after* the entire HTTP body has been read by the server. Ideally sites should be structured to ensure this is never needed; make sure the first request to any more-restricted area is a GET. In that case is it perfectly safe (even, advisable) to set SSLRenegBufferSize to zero. Otherwise, "what breaks" will be any clients sending bodies larger than the configured limit in requests which trigger a per-dir reneg. Regards, Joe