Re: dynamic renegotiation

Ralf S. Engelschall Thu, 15 Apr 1999 01:40:05 -0700
On Wed, Apr 14, 1999, Matthias Loepfe wrote:

> >From my point of view there happen much too much renegotiations 

Yes, that's correct. We've recognized this some time ago, too.  I've written
it down on my TODO list, but it's non-trivial to make better.

> which is
> especially anoying if client certs are requested because there is always
> a user interaction required. Could the logic which determines a renegotiation
> be slightly changed?
> 
> A renegotiation only happens if:
> 1.) if current cipher is not contained in the new cipher list
> 2.) if current cert chain length is longer than the verify depth
> 3.) if verify client is required and no peer cert is available
> 4.) ....

Hmm... good suggestions, but as I already said once in the past: One has to be
_VERY_ carefully when doing short-cuts or optimizations for this stuff because
one can too easily introduce security holes. That's why I currently
implemented it this way: mod_ssl checks whether the parameters change in _any_
way and when it changed it forces a renegotiation.  You're right that this
often still is too much renegotiation.  I'll try to sit down in a silent
minute and think about the possible and safe optimizations again.

> During my tests I found a behaviour which I don't understand. Probably
> someone can explain it to me:
> 
> The following two cipher lists are the same:
>    HIGH:+MEDIUM
>    HIGH:+MEDIUM:+EXP
> But the following contains the export ciphers as expected
>   HIGH:+MEDIUM:EXP
> You can verify it with 'openssl ciphers -v <list>'

<grin> That's because Eric's syntax is strange.  The "+XXX" does _NOT_ mean
"plus XXX" or "add XXX to the cipher suite". It means "move XXX to this place
of the ordering". When you don't have XXX in the cipher suite "+XXX" is
useless. That why CipherSuite strings usually start with some "XXX:YYY:ZZZ"
followed with appended ":+AAA:+BBB" where AAA and BBB are subparts of XXX, YYY
or ZZZ. Read the mod_ssl user manual carefully. I think I've explained it
there in detail.
                                       Ralf S. Engelschall
                                       [EMAIL PROTECTED]
                                       www.engelschall.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)  www.engelschall.com/sw/mod_ssl/
Official Support Mailing List               [EMAIL PROTECTED]
Automated List Manager                       [EMAIL PROTECTED]
Re: dynamic renegotiation

Reply via email to
