I read from the description of this latest Apache update:
“CVE-2011-1473: Fixed the SSL renegotiation DoS by disabling
renegotiation by default.”
I have a web application that depends on SSL renegotiation being
available, so it seems I can expect this update to break my application?
What I’m curious about is the “by default” part of above paragraph,
which seems to indicate that somehow SSL renegotiation can be
re-enabled. How? I have read about the SSLInsecureRenegotiation Apache
configuration parameter, but AFAIK this appeared in Apache 2.2.15, while
Apache on SLES is 2.2.12, and at least before applying the update adding
this parameter to the configuration results in an error.
–
vatson
vatson’s Profile: http://forums.novell.com/member.php?userid=20248
View this thread: http://forums.novell.com/showthread.php?t=449602