You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Torsten Foertsch <to...@gmx.net> on 2009/11/10 11:14:30 UTC

[users@httpd] best way to fix the tls renegotiation problem?

Hi,

what is the best way to fix the tls renegotiation problem?

On my site some locations require renegotiation to get a client cert. 
But that can simply be moved into the vhost config.

I believe this is not sufficient, is it?

Is OpenSSL 0.9.8l sufficient? Or do I have to patch apache as well?

http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/CVE-2009-3555-2.2.patch

Is it correct that OpenSSL 0.9.8l simply denies renegotiation? Does that 
mean that directory/location based ssl parameters are impossible? Or is 
server initiated renegotiation still possible?

Thanks,
Torsten

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org