On April 9, 2011 18:00 , Chris Hill <chris.hillsec@xxxxxxxxx> wrote:
My company relies on Apache for a number of customer facing sites. What's a reliable way to disable client initiated renegotiation (both secure and insecure renegotiation)?. I know one specific openssl library (l) disables this, but then later ones enable "secure" renegotiation, which we need to disable.Ideally, I'd like a solution through an configuration parameter so that future versions/upgrades do not re-enable renegotiation.
I don't have an answer for you, but, out of curiosity, why do you need to disable SSL 3.0 / TLS renegotiation? If a client initiates a renegotiation, is this bad in some way? Obviously, you trusted the client during the initial negotiation/handshake.
-- Mark Montague mark@xxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|