On April 9, 2011 18:00 , Chris Hill <chris.hill...@gmail.com> wrote:
My company relies on Apache for a number of customer facing sites.
What's a reliable way to disable client initiated renegotiation (both
secure and insecure renegotiation)?. I know one specific openssl
library (l) disables this, but then later ones enable "secure"
renegotiation, which we need to disable.
Ideally, I'd like a solution through an configuration parameter so
that future versions/upgrades do not re-enable renegotiation.
I don't have an answer for you, but, out of curiosity, why do you need
to disable SSL 3.0 / TLS renegotiation? If a client initiates a
renegotiation, is this bad in some way? Obviously, you trusted the
client during the initial negotiation/handshake.
--
Mark Montague
m...@catseye.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
