Type: integer
Default: 0 (0kB)
Min: 0 (0kB)
Max: 2147483647 (2147483647kB)
Unit: KB
Context: user
Restart: false
Deprecated: 9.4

Specifies how much data can flow over an SSL-encrypted connection before renegotiation of the session keys will take place. Renegotiation decreases an attacker's chances of doing cryptanalysis when large amounts of traffic can be examined, but it also carries a large performance penalty. The sum of sent and received traffic is used to check the limit. If this parameter is set to 0, renegotiation is disabled. The default is 0.

SSL libraries from before November 2009 are insecure when using SSL renegotiation, due to a vulnerability in the SSL protocol. As a stop-gap fix for this vulnerability, some vendors shipped SSL libraries incapable of doing renegotiation. If any such libraries are in use on the client or server, SSL renegotiation should be disabled.

Due to bugs in OpenSSL enabling ssl renegotiation, by configuring a non-zero ssl_renegotiation_limit, is likely to lead to problems like long-lived connections breaking.

Comments