Apache update slessp1-apache2-5482 and SSL renegotiation

I read from the description of this latest Apache update:
“CVE-2011-1473: Fixed the SSL renegotiation DoS by disabling
renegotiation by default.”

I have a web application that depends on SSL renegotiation being
available, so it seems I can expect this update to break my application?
What I’m curious about is the “by default” part of above paragraph,
which seems to indicate that somehow SSL renegotiation can be
re-enabled. How? I have read about the SSLInsecureRenegotiation Apache
configuration parameter, but AFAIK this appeared in Apache 2.2.15, while
Apache on SLES is 2.2.12, and at least before applying the update adding
this parameter to the configuration results in an error.


vatson

vatson’s Profile: http://forums.novell.com/member.php?userid=20248
View this thread: http://forums.novell.com/showthread.php?t=449602

I installed the update on test server and contrary to my expectations
the application did not break.


vatson

vatson’s Profile: http://forums.novell.com/member.php?userid=20248
View this thread: http://forums.novell.com/showthread.php?t=449602