NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: TLS renegociation bug: time for OpenSSL upgrade?



On Mon, Nov 23, 2009 at 10:04:54AM +0000, Emmanuel Dreyfus wrote:
> 
> No base system OpenSSL seems to be planned (correct me if I'm wrong), 
> pkgsrc's OpenSSL will fix Firefox's TLSv1 problem, but does it fix the
> TLS renegociation problem?

Nothing fixes the TLS renegotiation problem.  The OpenSSL team have had
about four shots at patches so far, and every one of them breaks
interoperability with some not-uncommon client so badly it's not really
suitable for release.

The only released version of OpenSSL that deals with the renegotiation
issue at all is so buggy that it shouldn't have been released: it contains
an API change which has already been backed out of every branch of the
OpenSSL repository, and its response to a client-initiated renegotiation
*hangs the connection irretrievably*.

I'm keeping a pretty close eye on this for work and I do hope they get it
together soon, but not yet. :-/

Thor


Home | Main Index | Thread Index | Old Index