The SSL renegotiation insecurity has two aspects, namely client  initiated renegotiation and server initiated renegotiation. Both of them  can be used by a man in the middle as an attack vector. Renegotiations are needed for an Apache https configurations only, if  you have a complex SSL configuration that has various different SSL  requirements in the same vhost, like requiring client certs only for  some Directory, or changing the allowed cipher specs for some Directory  (or Location). If you do not use such a configuration, the best and at the moment only  way to be safe against the attack is upgrading to OpenSSl 0.9.8l. There is a patch for Apache 2.2.14 which completely disables client  initiated renegotiation thereby still allowing server side renegotiation:   This makes you safe from (only) one half of the attack without an  OpenSSL upgrade and still allows the complex configs to work. An  enhancement of this patch which should prevent all server side  renegotiation attacks known at the moment has been applied to the 2.2.x  branch very recently:   The first patch has been backported and suggested for 2.0:     and for 1.3:    A backport for the second patch does not yet exist. I think further discussion about Apache specific question are a better  fit for the Apache httpd users list. Regards, Rainer