Disabling SSL Renegotiation

mbuk2k asked:

We need to stop using (insecure) SSL renegotiation for a series of e-commerce sites we provide due to PCI regulations.

Does anyone know of the implications of doing so assuming that we don’t enable secure renegotiation?

Would SSL just re-establish a connect when required? I assume this would increase CPU load but would there be any other issues?

My answer:


For public web sites, TLS renegotiation is not something that would normally happen anyway, so you shouldn’t see any performance issues.

Its chief legitimate use is for the server to request a client certificate, on enterprise web sites where the client must be verified by certificate. But these aren’t going to be handling customers’ credit card information (unless you’ve done something terribly wrong).


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.