New releases of OpenSSL will only allow secure renegotiation by

default. Add an "SSLInsecureRenegotiation" directive to enable renegotiation against unpatched clients, to ease transition: * modules/ssl/ssl_private.h (struct SSLSrvConfigRec): Add insecure_reneg field. * modules/ssl/ssl_engine_config.c (ssl_config_server_new, ssl_config_server_merge): Handle the insecure_reneg flag. (ssl_cmd_SSLInsecureRenegotiation): New function. * modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Set the SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION option if insecure_reneg is enabled. * modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Log level of support for secure reneg. * modules/ssl/mod_ssl.c: Add the directive definition. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@906039 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2010-02-03 13:38:09 +00:00
parent 262c4164d2
commit f1e767fd68
5 changed files with 37 additions and 8 deletions
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -123,6 +123,8 @@ static const command_rec ssl_config_cmds[] = {
                "('[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
    SSL_CMD_SRV(HonorCipherOrder, FLAG,
                "Use the server's cipher ordering preference")
+    SSL_CMD_SRV(InsecureRenegotiation, FLAG,
+                "Enable support for insecure renegotiation")
    SSL_CMD_ALL(UserName, TAKE1,
                "Set user name to SSL variable value")
    SSL_CMD_SRV(LogLevelDebugDump, TAKE1,