You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Torsten Foertsch <to...@gmx.net> on 2009/11/10 11:14:30 UTC
[users@httpd] best way to fix the tls renegotiation problem?
Hi,
what is the best way to fix the tls renegotiation problem?
On my site some locations require renegotiation to get a client cert.
But that can simply be moved into the vhost config.
I believe this is not sufficient, is it?
Is OpenSSL 0.9.8l sufficient? Or do I have to patch apache as well?
http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/CVE-2009-3555-2.2.patch
Is it correct that OpenSSL 0.9.8l simply denies renegotiation? Does that
mean that directory/location based ssl parameters are impossible? Or is
server initiated renegotiation still possible?
Thanks,
Torsten
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org