On Mon, Nov 23, 2009 at 10:33:20AM -0500, Thor Lancelot Simon wrote: | On Mon, Nov 23, 2009 at 10:04:54AM +0000, Emmanuel Dreyfus wrote: | > No base system OpenSSL seems to be planned (correct me if I'm wrong), | > pkgsrc's OpenSSL will fix Firefox's TLSv1 problem, but does it fix the | > TLS renegociation problem? | | Nothing fixes the TLS renegotiation problem. The OpenSSL team have had | about four shots at patches so far, and every one of them breaks | interoperability with some not-uncommon client so badly it's not really | suitable for release. | | The only released version of OpenSSL that deals with the renegotiation | issue at all is so buggy that it shouldn't have been released: it contains | an API change which has already been backed out of every branch of the | OpenSSL repository, and its response to a client-initiated renegotiation | *hangs the connection irretrievably*. | | I'm keeping a pretty close eye on this for work and I do hope they get it | together soon, but not yet. :-/ Hi Thor, Do you know the current status of OpenSSL regarding fixes for this problem  ? I've spent a lot of time over the last few days dealing with the fallout from this problem, and I've been trying to find a fix to OpenSSL in NetBSD 5. thanks, Luke.  Firefox 3.6 causes SSL enabled web servers to core dump in libssl, when running on NetBSD 5.0 and its libssl.so.6.
Description: PGP signature