Changeset 1540


Ignore:
Timestamp:
Apr 16, 2010, 5:40:31 AM (16 years ago)
Author:
mitchb
Message:
Two's company and three's a crowd, but have an orgy if you must

Apache 2.2.15 includes support for RFC 5746, which specifies
the TLS Renegotiation Indication Extension and fixes the protocol
flaw that allows CVE-2009-3555.  Unfortunately, secure renegotiations
require support in both the server and the client, and so it will
take some time until most webservers and most browsers have been
upgraded to support this extension.  While we want to support and
enforce secure renegotiation for clients that are capable of it,
and we want to encourage everyone to upgrade ASAP, refusing to
renegotiate with clients that haven't yet gotten support would
most likely break many sites for many users.

This setting should be temporary, but it's not yet clear how long
we may have to wait.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/server/fedora/config/etc/httpd/conf/httpd.conf

    r1482 r1540  
    313313    AddType application/x-pkcs7-crl    .crl
    314314
     315    # This directive allows insecure renegotiations to succeed for browsers
     316    # that do not yet support RFC 5746.  It should be removed when enough
     317    # of the world has caught up.
     318    SSLInsecureRenegotiation on
     319
    315320    SSLPassPhraseDialog  builtin
    316321    SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
Note: See TracChangeset for help on using the changeset viewer.