Hello
I played around with the dynamic (location specific) renegotiation and have
now the following questions:
I use apache-1.3.6, mod_ssl-2.2.8
>From my point of view there happen much too much renegotiations which is
especially anoying if client certs are requested because there is always
a user interaction required. Could the logic which determines a renegotiation
be slightly changed?
A renegotiation only happens if:
1.) if current cipher is not contained in the new cipher list
2.) if current cert chain length is longer than the verify depth
3.) if verify client is required and no peer cert is available
4.) ....
During my tests I found a behaviour which I don't understand. Probably
someone can explain it to me:
The following two cipher lists are the same:
HIGH:+MEDIUM
HIGH:+MEDIUM:+EXP
But the following contains the export ciphers as expected
HIGH:+MEDIUM:EXP
You can verify it with 'openssl ciphers -v <list>'
cu
Matthias
-------------------------------------------------------------------------------
Matthias Loepfe, AdNovum Informatik AG, Roentgenstr. 22, CH-8005 Zurich
Email: [EMAIL PROTECTED] Voice: +41 1 272 6111 Fax: +41 1 272 6312
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
