You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2010/02/09 13:46:17 UTC
svn commit: r908015 - /httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
Author: jorton
Date: Tue Feb 9 12:46:17 2010
New Revision: 908015
URL: http://svn.apache.org/viewvc?rev=908015&view=rev
Log:
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLInsecureRenegotiation):
Tweak error wording for when the directive is not supported.
Modified:
httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=908015&r1=908014&r2=908015&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Tue Feb 9 12:46:17 2010
@@ -637,7 +637,8 @@
sc->insecure_reneg = flag?TRUE:FALSE;
return NULL;
#else
- return "SSLInsecureRenegotiation is not supported by the SSL library";
+ return "Secure renegotation is not supported by the SSL library; "
+ "the SSLInsecureRenegotiation directive is not available";
#endif
}
Re: svn commit: r908015 - /httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
Posted by Jeff Trawick <tr...@gmail.com>.
On Fri, Feb 26, 2010 at 3:38 PM, Joe Orton <jo...@redhat.com> wrote:
> On Fri, Feb 26, 2010 at 12:55:38PM -0500, Jeff Trawick wrote:
>> On Tue, Feb 9, 2010 at 7:46 AM, <jo...@apache.org> wrote:
>> > --- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
>> > +++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Tue Feb 9 12:46:17 2010
>> > @@ -637,7 +637,8 @@
>> > sc->insecure_reneg = flag?TRUE:FALSE;
>> > return NULL;
>> > #else
>> > - return "SSLInsecureRenegotiation is not supported by the SSL library";
>> > + return "Secure renegotation is not supported by the SSL library; "
>> > + "the SSLInsecureRenegotiation directive is not available";
>> > #endif
>> > }
>>
>> Besides losing 5 points for spelling,
>
> doh, thanks
>
>> is it worth punting as much as possible to the docs?
>
> Yes :)
>
> I "improved" the wording here since it was pointed out to me off-list
> that the original read as "insecure reneg not supported" which comes
> across as both confusing and inaccurate.
>
> I'd like to have a FAQ entry about this, certainly, covering the
> behaviour with different versions of OpenSSL as you mention.
>
> I'm not sure how to further "improve" the error string here though, it
> seemed a bit awkward to start putting docs URLs in or anything. Any
> suggestions?
simply "The SSLInsecureRenegotiation directive is not available with
this SSL library" or similar, with all the other information either in
the SSLInsecureRenegotiation doc or linked from it
Re: svn commit: r908015 -
/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
Posted by Joe Orton <jo...@redhat.com>.
On Fri, Feb 26, 2010 at 12:55:38PM -0500, Jeff Trawick wrote:
> On Tue, Feb 9, 2010 at 7:46 AM, <jo...@apache.org> wrote:
> > --- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
> > +++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Tue Feb 9 12:46:17 2010
> > @@ -637,7 +637,8 @@
> > sc->insecure_reneg = flag?TRUE:FALSE;
> > return NULL;
> > #else
> > - return "SSLInsecureRenegotiation is not supported by the SSL library";
> > + return "Secure renegotation is not supported by the SSL library; "
> > + "the SSLInsecureRenegotiation directive is not available";
> > #endif
> > }
>
> Besides losing 5 points for spelling,
doh, thanks
> is it worth punting as much as possible to the docs?
Yes :)
I "improved" the wording here since it was pointed out to me off-list
that the original read as "insecure reneg not supported" which comes
across as both confusing and inaccurate.
I'd like to have a FAQ entry about this, certainly, covering the
behaviour with different versions of OpenSSL as you mention.
I'm not sure how to further "improve" the error string here though, it
seemed a bit awkward to start putting docs URLs in or anything. Any
suggestions?
Regards, Joe
Re: svn commit: r908015 - /httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
Posted by Jeff Trawick <tr...@gmail.com>.
On Tue, Feb 9, 2010 at 7:46 AM, <jo...@apache.org> wrote:
> Author: jorton
> Date: Tue Feb 9 12:46:17 2010
> New Revision: 908015
>
> URL: http://svn.apache.org/viewvc?rev=908015&view=rev
> Log:
> * modules/ssl/ssl_engine_config.c (ssl_cmd_SSLInsecureRenegotiation):
> Tweak error wording for when the directive is not supported.
>
> Modified:
> httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=908015&r1=908014&r2=908015&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Tue Feb 9 12:46:17 2010
> @@ -637,7 +637,8 @@
> sc->insecure_reneg = flag?TRUE:FALSE;
> return NULL;
> #else
> - return "SSLInsecureRenegotiation is not supported by the SSL library";
> + return "Secure renegotation is not supported by the SSL library; "
> + "the SSLInsecureRenegotiation directive is not available";
> #endif
> }
Besides losing 5 points for spelling, is it worth punting as much as
possible to the docs?
Some poor sysadmin told to add "SSLInsecureRenegotiation Off"
everywhere just to be safe encounters some box with older OpenSSL and
sees "Secure renegotiation is not supported by the SSL library", which
is really besides the point.
OpenSSL 0.9.8k and below:
* This directive is not available.
* Only insecure (legacy) renegotiation is supported. It can only be
disabled by changing the mod_ssl configuration XXXX.
* For affected configurations, SSL connections will be vulnerable to
the Man-in-the-Middle prefix attack as described in CVE-2009-3555.
OpenSSL 0.9.8l:
* This directive is not available.
* No renegotiation, secure or insecure (legacy), is supported.
* SSL connections will not be vulnerable to the Man-in-the-Middle
prefix attack as described in CVE-2009-3555, but some mod_ssl
configurations XXXXX.
OpenSSL 0.9.8m and above:
* This directive is available to enable insecure (legacy)
renegotiation, if absolutely necessary.
* Secure renegotiation is supported.
* For affected configurations, if this directive is enabled to allow
legacy, insecure renegotiation, SSL connections will be vulnerable to
the Man-in-the-Middle prefix attack as described in CVE-2009-3555.