Hello, I am developing a server and I need to disable client initiated renegotiations.
I thought that settings the SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag into SSL_CTX_set_options was the way to go but apparently I was wrong (as you can see from a simple test): openssl s_client -connect www.myhost.com:443 CONNECTED(00000003) … --- $ R RENEGOTIATING 139750207096480:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596: If I try this with the DB-Server it tries to renegotiate: $ openssl s_client -connect dev.myhost.com:443 CONNECTED(00000003) … --- $ R RENEGOTIATING depth=0 C = CH, ST = Italy, O = SQLabs = cubeSQL, CN = dev.myhost.com, emailAddress = host...@myhost.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = CH, ST = Italy, O = SQLabs = cubeSQL, CN = dev.myhost.com, emailAddress = host...@myhost.com verify error:num=27:certificate not trusted verify return:1 depth=0 C = CH, ST = Italy, O = SQLabs = cubeSQL, CN = dev.myhost.com, emailAddress = host...@myhost.com verify error:num=21:unable to verify the first certificate verify return:1 So, how I can completely disable client renegotiations? Thanks a lot. -- Marco Bambini http://www.sqlabs.com http://twitter.com/sqlabs http://instagram.com/sqlabs ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
