On Mon, Nov 23, 2009 at 10:33:20AM -0500, Thor Lancelot Simon wrote:
| On Mon, Nov 23, 2009 at 10:04:54AM +0000, Emmanuel Dreyfus wrote:
| > No base system OpenSSL seems to be planned (correct me if I'm wrong),
| > pkgsrc's OpenSSL will fix Firefox's TLSv1 problem, but does it fix the
| > TLS renegociation problem?
|
| Nothing fixes the TLS renegotiation problem. The OpenSSL team have had
| about four shots at patches so far, and every one of them breaks
| interoperability with some not-uncommon client so badly it's not really
| suitable for release.
|
| The only released version of OpenSSL that deals with the renegotiation
| issue at all is so buggy that it shouldn't have been released: it contains
| an API change which has already been backed out of every branch of the
| OpenSSL repository, and its response to a client-initiated renegotiation
| *hangs the connection irretrievably*.
|
| I'm keeping a pretty close eye on this for work and I do hope they get it
| together soon, but not yet. :-/
Hi Thor,
Do you know the current status of OpenSSL regarding fixes
for this problem [1] ?
I've spent a lot of time over the last few days dealing with
the fallout from this problem, and I've been trying to find
a fix to OpenSSL in NetBSD 5.
thanks,
Luke.
[1] Firefox 3.6 causes SSL enabled web servers to core dump in libssl,
when running on NetBSD 5.0 and its libssl.so.6.
Attachment:
pgpgHLmFPMZlS.pgp
Description: PGP signature