[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: TLS renegociation bug: time for OpenSSL upgrade?
On Mon, Nov 23, 2009 at 11:19:59AM +0100, Martin Husemann wrote:
> It looks like the version in tree is newer than the pkgsrc version - maybe
> they broke something upstream?
In 5.0.1: OpenSSL 0.9.9-dev 09 May 2008. -current has the same, right?
Despite the higher version number, this is older than 0.9.8k
we have in pkgsrc, which is from 24 Mar 2009. And 0.9.8k itself
lacks TLS renegociation bugfix, which is availale in 0.9.8l,
I found it in OpenSSL Changelog:
Changes between 0.9.8k and 0.9.8l [5 Nov 2009]
*) Disable renegotiation completely - this fixes a severe security
problem (CVE-2009-3555) at the cost of breaking all
renegotiation. Renegotiation can be re-enabled by setting
SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
run-time. This is really not recommended unless you know what
Main Index |
Thread Index |