Changeset 1540 for trunk/server/fedora/config/etc/httpd/conf/httpd.conf

Timestamp:

Apr 16, 2010, 5:40:31 AM (14 years ago)

Author:

mitchb

Message:

Two's company and three's a crowd, but have an orgy if you must

Apache 2.2.15 includes support for RFC 5746, which specifies
the TLS Renegotiation Indication Extension and fixes the protocol
flaw that allows CVE-2009-3555.  Unfortunately, secure renegotiations
require support in both the server and the client, and so it will
take some time until most webservers and most browsers have been
upgraded to support this extension.  While we want to support and
enforce secure renegotiation for clients that are capable of it,
and we want to encourage everyone to upgrade ASAP, refusing to
renegotiate with clients that haven't yet gotten support would
most likely break many sites for many users.

This setting should be temporary, but it's not yet clear how long
we may have to wait.

File:

• trunk/server/fedora/config/etc/httpd/conf/httpd.conf (modified) (1 diff)

trunk/server/fedora/config/etc/httpd/conf/httpd.conf

@@ -313 +313 @@
     AddType application/x-pkcs7-crl    .crl
 
+    # This directive allows insecure renegotiations to succeed for browsers
+    # that do not yet support RFC 5746.  It should be removed when enough
+    # of the world has caught up.
+    SSLInsecureRenegotiation on
+
     SSLPassPhraseDialog  builtin
     SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)