NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: TLS renegociation bug: time for OpenSSL upgrade?

On Mon, Nov 23, 2009 at 10:33:20AM -0500, Thor Lancelot Simon wrote:
  | On Mon, Nov 23, 2009 at 10:04:54AM +0000, Emmanuel Dreyfus wrote:
  | > No base system OpenSSL seems to be planned (correct me if I'm wrong), 
  | > pkgsrc's OpenSSL will fix Firefox's TLSv1 problem, but does it fix the
  | > TLS renegociation problem?
  | Nothing fixes the TLS renegotiation problem.  The OpenSSL team have had
  | about four shots at patches so far, and every one of them breaks
  | interoperability with some not-uncommon client so badly it's not really
  | suitable for release.
  | The only released version of OpenSSL that deals with the renegotiation
  | issue at all is so buggy that it shouldn't have been released: it contains
  | an API change which has already been backed out of every branch of the
  | OpenSSL repository, and its response to a client-initiated renegotiation
  | *hangs the connection irretrievably*.
  | I'm keeping a pretty close eye on this for work and I do hope they get it
  | together soon, but not yet. :-/

Hi Thor,

Do you know the current status of OpenSSL regarding fixes
for this problem [1] ?

I've spent a lot of time over the last few days dealing with
the fallout from this problem, and I've been trying to find
a fix to OpenSSL in NetBSD 5.


[1] Firefox 3.6 causes SSL enabled web servers to core dump in libssl,
    when running on NetBSD 5.0 and its

Attachment: pgpgHLmFPMZlS.pgp
Description: PGP signature

Home | Main Index | Thread Index | Old Index