</usage>
</directivesynopsis>
-<directivesynopsis>
-<name>SSLInsecureRenegotiation</name>
-<description>Option to enable support for insecure renegotiation</description>
-<syntax>SSLInsecureRenegotiation on|off</syntax>
-<default>SSLInsecureRenegotiation off</default>
-<contextlist><context>server config</context>
-<context>virtual host</context></contextlist>
-<compatibility>Available if using OpenSSL 0.9.8m or later</compatibility>
-
-<usage>
-<p>As originally specified, all versions of the SSL and TLS protocols
-(up to and including TLS/1.2) were vulnerable to a Man-in-the-Middle
-attack
-(<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555">CVE-2009-3555</a>)
-during a renegotiation. This vulnerability allowed an attacker to
-"prefix" a chosen plaintext to the HTTP request as seen by the web
-server. A protocol extension was developed which fixed this
-vulnerability if supported by both client and server.</p>
-
-<p>If <module>mod_ssl</module> is linked against OpenSSL version 0.9.8m
-or later, by default renegotiation is only supported with
-clients supporting the new protocol extension. If this directive is
-enabled, renegotiation will be allowed with old (unpatched) clients,
-albeit insecurely.</p>
-
-<note type="warning"><title>Security warning</title>
-<p>If this directive is enabled, SSL connections will be vulnerable to
-the Man-in-the-Middle prefix attack as described
-in <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555">CVE-2009-3555</a>.</p>
-</note>
-
-<example><title>Example</title>
-<highlight language="config">
-SSLInsecureRenegotiation on
-</highlight>
-</example>
-
-<p>The <code>SSL_SECURE_RENEG</code> environment variable can be used
-from an SSI or CGI script to determine whether secure renegotiation is
-supported for a given SSL connection.</p>
-
-</usage>
-</directivesynopsis>
-
<directivesynopsis>
<name>SSLUseStapling</name>
<description>Enable stapling of OCSP responses in the TLS handshake</description>
sc->vhost_id = NULL; /* set during module init */
sc->session_cache_timeout = UNSET;
sc->cipher_server_pref = UNSET;
- sc->insecure_reneg = UNSET;
#ifdef HAVE_TLSEXT
sc->strict_sni_vhost_check = SSL_ENABLED_UNSET;
#endif
cfgMerge(enabled, SSL_ENABLED_UNSET);
cfgMergeInt(session_cache_timeout);
cfgMergeBool(cipher_server_pref);
- cfgMergeBool(insecure_reneg);
#ifdef HAVE_TLSEXT
cfgMerge(strict_sni_vhost_check, SSL_ENABLED_UNSET);
#endif
const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
{
-#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
- SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
- sc->insecure_reneg = flag?TRUE:FALSE;
- return NULL;
-#else
- return "The SSLInsecureRenegotiation directive is not available "
- "with this SSL library";
-#endif
+ return "The SSLInsecureRenegotiation directive is no longer supported";
}
modssl_ctx_dump(sc->server, p, 0, out, indent, psep);
DMP_LONG( "SSLSessionCacheTimeout", sc->session_cache_timeout);
- DMP_ON_OFF("SSLInsecureRenegotiation", sc->insecure_reneg);
DMP_ON_OFF("SSLStrictSNIVHostCheck", sc->strict_sni_vhost_check);
DMP_ON_OFF("SSLSessionTickets", sc->session_tickets);
}
projects / thirdparty / apache / httpd.git / commitdiff
