New releases of OpenSSL will only allow secure renegotiation by

default.  Add an "SSLInsecureRenegotiation" directive to enable
renegotiation against unpatched clients, to ease transition:

* modules/ssl/ssl_private.h (struct SSLSrvConfigRec): Add
  insecure_reneg field.

* modules/ssl/ssl_engine_config.c (ssl_config_server_new,
  ssl_config_server_merge): Handle the insecure_reneg flag.
  (ssl_cmd_SSLInsecureRenegotiation): New function.

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Set the
  SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION option if insecure_reneg is
  enabled.

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Log level of
  support for secure reneg.

* modules/ssl/mod_ssl.c: Add the directive definition.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@906039 13f79535-47bb-0310-9956-ffa450edef68

modules/ssl/ssl_engine_kernel.c

@@ -764,10 +764,17 @@ int ssl_hook_Access(request_rec *r)
                 r->connection->keepalive = AP_CONN_CLOSE;
             }
 
-            /* do a full renegotiation */
+            /* Perform a full renegotiation. */
             ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                          "Performing full renegotiation: "
-                          "complete handshake protocol");
+                          "Performing full renegotiation: complete handshake "
+                          "protocol (%s support secure renegotiation)",
+#if defined(SSL_get_secure_renegotiation_support)
+                          SSL_get_secure_renegotiation_support(ssl) ? 
+                          "client does" : "client does not"
+#else
+                          "server does not"
+#endif
+                );
 
             SSL_set_session_id_context(ssl,
                                        (unsigned char *)&id,