PDA

View Full Version : Apache update slessp1-apache2-5482 and SSL renegotiation



vatson
14-Dec-2011, 22:16
I read from the description of this latest Apache update:
"CVE-2011-1473: Fixed the SSL renegotiation DoS by disabling
renegotiation by default."

I have a web application that depends on SSL renegotiation being
available, so it seems I can expect this update to break my application?
What I'm curious about is the "by default" part of above paragraph,
which seems to indicate that somehow SSL renegotiation can be
re-enabled. How? I have read about the SSLInsecureRenegotiation Apache
configuration parameter, but AFAIK this appeared in Apache 2.2.15, while
Apache on SLES is 2.2.12, and at least before applying the update adding
this parameter to the configuration results in an error.


--
vatson
------------------------------------------------------------------------
vatson's Profile: http://forums.novell.com/member.php?userid=20248
View this thread: http://forums.novell.com/showthread.php?t=449602

vatson
15-Dec-2011, 19:36
I installed the update on test server and contrary to my expectations
the application did not break.


--
vatson
------------------------------------------------------------------------
vatson's Profile: http://forums.novell.com/member.php?userid=20248
View this thread: http://forums.novell.com/showthread.php?t=449602