Re: Apache and TLS renegocitation

To: manu%netbsd.org@localhost
Subject: Re: Apache and TLS renegocitation
From: Matthias Drochner <M.Drochner%fz-juelich.de@localhost>
Date: Tue, 21 Jun 2011 19:40:50 +0200

> 1) a fixed OpenSSL.
> NetBSD-SA2010-002 says netbsd-5 and netbsd-5-0 were fixed on 2010-01-12,
> and 5.0.2 and 5.1 were released later, so theses to releases should be
> alright.

"fixed" means here that SSL renegotiation was disabled. There is a way
to enable it (FLAG_UNSAFE_LEGACY_RENEGOTIATION). This was introduced
in OpenSSL-0.9.8l and immediately dropped in 0.9.8m because it was
considered wrong. This was pulled into NetBSD-5 but it is almost
useless because not supported by modern software. It is also problematic
because the same flag value was reused by OpenSSL>=1.0 for
something different.
While the OpenSSL in 5.1 calls itself "0.9.9-devel", it does not
implement RFC5746 which was introduced in 0.9.8m.

> 2) a fixed apache that supports RFC 5746. According to this document,
> 2.2.15 seems to support RFC 5746

Yes, but it does not support the short-lived FLAG_UNSAFE_LEGACY_RENEGOTIATION
which is the only way to get renegotiation with the OpenSSL version
in NetBSD-5.1.

You could try to build apache against pkgsrc/openssl which is 0.9.8q
and thus supports RFC5746. (and the OP_UNSAFE_LEGACY_RENEGOTIATION
option which can also be used by apache according to "grep")

best regards
Matthias



------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDirig Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------

Besuchen Sie uns auf unserem neuen Webauftritt unter www.fz-juelich.de

Follow-Ups:
- Re: Apache and TLS renegocitation
  - From: Emmanuel Dreyfus

Prev by Date: Re: Apache and TLS renegocitation
Next by Date: Re: Apache and TLS renegocitation
Previous by Thread: Re: Apache and TLS renegocitation
Next by Thread: Re: Apache and TLS renegocitation
Indexes:

Home | Main Index | Thread Index | Old Index