NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: TLS renegociation bug: time for OpenSSL upgrade?



On Mon, Nov 23, 2009 at 11:19:59AM +0100, Martin Husemann wrote:
> It looks like the version in tree is newer than the pkgsrc version - maybe
> they broke something upstream?

In 5.0.1: OpenSSL 0.9.9-dev 09 May 2008. -current has the same, right?

Despite the higher version number, this is older than 0.9.8k 
we have in pkgsrc, which is from 24 Mar 2009. And 0.9.8k itself 
lacks TLS renegociation bugfix, which is availale in 0.9.8l,
I found it in OpenSSL Changelog:

 Changes between 0.9.8k and 0.9.8l  [5 Nov 2009]

  *) Disable renegotiation completely - this fixes a severe security
     problem (CVE-2009-3555) at the cost of breaking all
     renegotiation. Renegotiation can be re-enabled by setting
     SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
     run-time. This is really not recommended unless you know what
     you're doing.
     [Ben Laurie]


-- 
Emmanuel Dreyfus
manu%netbsd.org@localhost


Home | Main Index | Thread Index | Old Index