Re: TLS renegociation bug: time for OpenSSL upgrade?

[Mike Bowie <mbowie%buzmo.com@localhost>]

On 3/31/10 10:02 PM, Luke Mewburn wrote:
> On Thu, Apr 01, 2010 at 04:51:57AM +0200, Emmanuel Dreyfus wrote:
>    | Luke Mewburn<lukem%NetBSD.org@localhost>  wrote:
>    |
>    |>  Do you know the current status of OpenSSL regarding fixes
>    |>  for this problem [1] ?
>    | (...)
>    |>  [1] Firefox 3.6 causes SSL enabled web servers to core dump in libssl,
>    |>      when running on NetBSD 5.0 and its libssl.so.6.
>    |
>    | Hi
>    |
>    | Since you are reusing the thread about TLS renegociation bug, I'd like
>    | to be sure: there is a workaround for that in 5.0.2, right?
>
> At the firefox client end; yes.
>
> At the server end; I'm not sure if disabling TLSv1 in apache2
> avoids the problem.
>
> IMHO, it is not acceptable that a remote client can cause a core dump
> in a server application, or library that the latter uses...
>
> cheers,
> Luke.
>    
Warning: Generally uninformed response follows...

We've been adding the following line to Apache to prevent FF3.6 from 
causing an issue at the server end:
SSLProtocol all -TLSv1
While it's apparently taking care of the issue for browsers, it has made 
our NMS (Java) unhappy... but that's another story.

The OpenSSL changelog[1] under *"*Changes between 0.9.8l and 0.9.8m [25 
Feb 2010]" mentions renegotiation in few ways, which I've been told 
"resolves" said issue.  While the version in question is in pkgsrc, I've 
not made the time to give it a try just yet; given that I don't have a 
vicious understanding of the issue itself, it may well be a red-herring.

A number of our affected systems are 5.0.2, so I'd have to say no... 
there's no workaround in place.

HTH,

Mike.

[1] http://www.openssl.org/news/changelog.html