Client-initiated secure renegotiation
Aki Tuomi
aki.tuomi at dovecot.fi
Thu Mar 10 11:23:24 UTC 2016
On 10.03.2016 12:40, Osiris wrote:
<snip/>
> That's just the question of Florent: how to disable Secure
> Client-Initiated Renegotiation.
Hi!
There is no way to disable this in OpenSSL, and the CVE you refer to has
been disputed. Please see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-1473 and
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_options.html.
Without altering OpenSSL sources, secure renegotiations will take place.
---
Aki Tuomi
Dovecot Oy
More information about the dovecot
mailing list