On 2016-08-11 11:34:24 [+0200], Hubert Kario wrote: > it all depends on the environment, in some renegotiation is completely > unnecessary (public HTTP servers without client certificate based > authentication), in others just client-initiated renegotiation is needed > (typical configuration for HTTP with client certificates), while in other
Is this renegotiation (in this case) triggert by the client or by the server? I have here access to a few servers which require a client certs and they don't support renegotiation (triggert by the client) right after connect. > still renegotiation is necessary for both sides (long sessions that want the > ability to renew encryption keys). You are talking here about long sessions. A simple rate limit would be okay. My wording was "remove client initiated renegotiation if possible" I think. Also keeping a rate limit per connection would be nice then. Sebastian -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
