Re: TLS renegociation bug: time for OpenSSL upgrade?

To: Martin Husemann <martin%duskware.de@localhost>
Subject: Re: TLS renegociation bug: time for OpenSSL upgrade?
From: Emmanuel Dreyfus <manu%netbsd.org@localhost>
Date: Mon, 23 Nov 2009 10:26:31 +0000

On Mon, Nov 23, 2009 at 11:19:59AM +0100, Martin Husemann wrote:
> It looks like the version in tree is newer than the pkgsrc version - maybe
> they broke something upstream?

In 5.0.1: OpenSSL 0.9.9-dev 09 May 2008. -current has the same, right?

Despite the higher version number, this is older than 0.9.8k 
we have in pkgsrc, which is from 24 Mar 2009. And 0.9.8k itself 
lacks TLS renegociation bugfix, which is availale in 0.9.8l,
I found it in OpenSSL Changelog:

 Changes between 0.9.8k and 0.9.8l  [5 Nov 2009]

  *) Disable renegotiation completely - this fixes a severe security
     problem (CVE-2009-3555) at the cost of breaking all
     renegotiation. Renegotiation can be re-enabled by setting
     SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
     run-time. This is really not recommended unless you know what
     you're doing.
     [Ben Laurie]


-- 
Emmanuel Dreyfus
manu%netbsd.org@localhost

Follow-Ups:
- Re: TLS renegociation bug: time for OpenSSL upgrade?
  - From: Martin Husemann

References:
- TLS renegociation bug: time for OpenSSL upgrade?
  - From: Emmanuel Dreyfus
- Re: TLS renegociation bug: time for OpenSSL upgrade?
  - From: Martin Husemann

Prev by Date: Re: TLS renegociation bug: time for OpenSSL upgrade?
Next by Date: Re: TLS renegociation bug: time for OpenSSL upgrade?
Previous by Thread: Re: TLS renegociation bug: time for OpenSSL upgrade?
Next by Thread: Re: TLS renegociation bug: time for OpenSSL upgrade?
Indexes:

Home | Main Index | Thread Index | Old Index