Hi, what is the best way to fix the tls renegotiation problem? On my site some locations require renegotiation to get a client cert. But that can simply be moved into the vhost config. I believe this is not sufficient, is it? Is OpenSSL 0.9.8l sufficient? Or do I have to patch apache as well? http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/CVE-2009-3555-2.2.patch Is it correct that OpenSSL 0.9.8l simply denies renegotiation? Does that mean that directory/location based ssl parameters are impossible? Or is server initiated renegotiation still possible? Thanks, Torsten --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|