Re: Re: Removing SSL renegotiation (Was: Should we back-patch SSL renegotiation fixes?)

On 2015-07-11 21:09:05 +0900, Michael Paquier wrote:
> Something like the patches attached

Thanks for that!

> could be considered, one is for master
> and REL9_5_STABLE to remove ssl_renegotiation_limit, the second one for
> ~REL9_4_STABLE to change the default to 0.

> diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
> index c669f75..16c0ce5 100644
> --- a/doc/src/sgml/config.sgml
> +++ b/doc/src/sgml/config.sgml
> @@ -1040,7 +1040,7 @@ include_dir 'conf.d'
>          cryptanalysis when large amounts of traffic can be examined, but it
>          also carries a large performance penalty. The sum of sent and received
>          traffic is used to check the limit. If this parameter is set to 0,
> -        renegotiation is disabled. The default is <literal>512MB</>.
> +        renegotiation is disabled. The default is <literal>0</>.

I think we should put in a warning or at least note about the dangers of
enabling it (connection breaks, exposure to several open openssl bugs).