+++ This bug was initially created as a clone of Bug #561435 +++ Description: The SSLInsecureRenegotiation directive should be added from upstream, to allow renegotiation with unpatched clients, after the fix for CVE-2009-3555 was implemented in OpenSSL. http://svn.apache.org/viewvc?rev=906039&view=rev
OpenSSL packages will be updated to address CVE-2009-3555 (see bug #533125), which will deny TLS session renegotiation with unpatched clients. mod_ssl configurations depending on TLS renegotiation (see kbase DOC-20491 for examples) may become problematic during the transition period (when server is upgraded, but not all clients are upgraded yet). httpd upstream introduced new configuration directive - SSLInsecureRenegotiation - that can be used to temporarily re-enable unsafe (i.e. vulnerable) legacy renegotiation during the transition period. Alternative for server admins with such configurations is to not upgrade openssl on the server while clients are still un-upgraded. Or configuration can be changed to avoid the use of renegotiation (see kbase).
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0252.html