there doesn't seem to be any immediate demand for renegotiation
> support, so it makes the most sense to leave it optional-to-enable
> rather than optional-to-disable.
If you want to protect some parts of your site with client
authentication, then you need to enable insecure renegotiation to
su
Bill, that is already good, but then the question still remains of
whether there is something that can be done disable/control/detect too
many handshakes from any given client (new or renegotiated). I'd love
to understand whether this is even a reasonable thing discuss, as I do
not have knowledge o
Yes, disabled by default now. My point was just make sure it did not come
back again, at least not without a config parameter to easily
disable/enable.
On Sun, Apr 17, 2011 at 8:41 AM, Jeff Trawick wrote:
> On Sat, Apr 16, 2011 at 3:39 PM, Daniel Ruggeri
> wrote:
> > On 4/16/2011 11:52 AM, Chri
On Sat, Apr 16, 2011 at 3:39 PM, Daniel Ruggeri wrote:
> On 4/16/2011 11:52 AM, Chris Hill wrote:
>>
>> Dear Apache httpd dev list,
>> ...
>> The reason why I insist in this is that the world has come to depend on
>> HTTP/SOAP over SSL (and Apache/OpenSSL are probably the most popular
>> implement
On Sat, 16 Apr 2011, Eric Covener wrote:
would mod_reqtimeout step in after too many renegotiations had eaten
too much wall time?
Whenever mod_ssl reads data from the client, mod_reqtimeout will check the
configured timeouts. It is possible that the data sent during reneg may
prevent the "mi
2011/4/16 Chris Hill :
[...]
> SSL handshakes take more processing power in the server side than on the
> client side (some commented in the order of 15x more). This is great news
> for attackers who want to take down a site and the work has already be done
> for them through recent exploits develo
would mod_reqtimeout step in after too many renegotiations had eaten
too much wall time?
On 4/16/2011 2:39 PM, Daniel Ruggeri wrote:
> On 4/16/2011 11:52 AM, Chris Hill wrote:
>> but how can I ensure this will never be turned back on in
>> future releases given the lack of configuration parameters?
>
> Chris;
>I believe this topic (enable/disable renegotiation) was brought up on t
On 4/16/2011 11:52 AM, Chris Hill wrote:
Dear Apache httpd dev list,
...
The reason why I insist in this is that the world has come to depend on
HTTP/SOAP over SSL (and Apache/OpenSSL are probably the most popular
implementation) for business critical apps, yet, it is not clear how
these business
Dear Apache httpd dev list,
There have been previous posts on this topic (I've initiated some in both
OpenSSL and Apache mailing lists), but I'd like to now just narrow the topic
down to what seems to be the most relevant points for which there are not
yet answers. We need you (the smart folks ;)
10 matches
Mail list logo