Sean Chittenden <sean@chittenden.org> writes:
>> So, questions for the group: where did the decision to renegotiate
>> every 64K come from? Do we need it at all? Do we need it at such a
>> short interval? And if we do need it, shouldn't the logic be
>> symmetric, so that renegotiations are forced during large input
>> transfers as well as large output transfers?
> It doesn't look like there's any guidance from mod_ssl in Apache 2.0.
Yeah, I looked at mod_ssl before sending in my gripe. AFAICT Apache
*never* forces a renegotiation based on amount of data sent --- all that
code is intended just to handle transitions between different webpages
with different security settings. So is that a precedent we can follow;
or is it an optimization based on the assumption that not a lot of data
will be transferred on any one web page?
(But even if you assume the latter, there are plenty of web pages with
more than 64K of data. It's hard to believe mod_ssl would be built
like that if security demands a renegotiation every 64K or so.)
regards, tom lane
