Disabling client initiated renegotiation

[Chris Hill <ch...@gmail.com>]

Hi all,

My company relies on Apache for a number of customer facing sites. What's a
reliable way to disable client initiated renegotiation (both secure and
insecure renegotiation)?. I know one specific openssl library (l) disables
this, but then later ones enable "secure" renegotiation, which we need to
disable.

Ideally, I'd like a solution through an configuration parameter so that
future versions/upgrades do not re-enable renegotiation.

Thanks for your help.

Regards,
Chris.

Re: Disabling client initiated renegotiation

[sebb <se...@gmail.com>]

On 9 April 2011 22:48, Chris Hill <ch...@gmail.com> wrote:
> Hi all,
>
> My company relies on Apache for a number of customer facing sites. What's a
> reliable way to disable client initiated renegotiation (both secure and
> insecure renegotiation)?. I know one specific openssl library (l) disables
> this, but then later ones enable "secure" renegotiation, which we need to
> disable.
>
> Ideally, I'd like a solution through an configuration parameter so that
> future versions/upgrades do not re-enable renegotiation.

If you are referring to Apache httpd, that sounds like a question for
the httpd user mailing list [A].

Or if you are using Apache Tomcat, its user list [T] is the place to
ask such questions.


[A] http://httpd.apache.org/lists.html

[T] http://tomcat.apache.org/lists.html

---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org