From: Joe Orton Date: Thu, 4 Feb 2010 11:25:54 +0000 (+0000) Subject: * docs/manual/mod/mod_ssl.xml: Warn more clearly about X-Git-Tag: 2.3.6~519 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3c814351bf68b703d897ca73151025ba52d4d590;p=thirdparty%2Fapache%2Fhttpd.git * docs/manual/mod/mod_ssl.xml: Warn more clearly about the security impact of SSLInsecureRenegotiation. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@906454 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml index 6eee29ca058..05967a0a698 100644 --- a/docs/manual/mod/mod_ssl.xml +++ b/docs/manual/mod/mod_ssl.xml @@ -1781,6 +1781,7 @@ certificate being validated references an OCSP responder.

server config virtual host Available in httpd 2.3 and later, if using OpenSSL 1.0.0 Beta 5 or later +SSLInsecureRenegotiation off

As originally specified, all versions of the SSL and TLS protocols @@ -1795,15 +1796,23 @@ vulnerability if supported by both client and server.

If mod_ssl is linked against OpenSSL version 1.0.0 Beta 5 or later, by default renegotiation is only supported with clients supporting the new protocol extension. If this directive is -enabled, renegotiation will be allowed with old (unpatched) clients. -SSL connections will be vulnerable to the prefix attack as described -above if this directive is enabled. The SSL_SECURE_RENEG -variable can be used to determine whether secure renegotiation is -supported for a given SSL connection.

+enabled, renegotiation will be allowed with old (unpatched) clients, +albeit insecurely.

+ +Security warning +

If this directive is enabled, SSL connections will be vulnerable to +the Man-in-the-Middle prefix attack as described +in CVE-2009-3555.

+ Example SSLInsecureRenegotiation on + +

The SSL_SECURE_RENEG environment variable can be used +from an SSI or CGI script to determine whether secure renegotiation is +supported for a given SSL connection.

+