[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: TLS renegociation bug: time for OpenSSL upgrade?
On 3/31/10 10:02 PM, Luke Mewburn wrote:
> On Thu, Apr 01, 2010 at 04:51:57AM +0200, Emmanuel Dreyfus wrote:
> | Luke Mewburn<lukem%NetBSD.org@localhost> wrote:
> |> Do you know the current status of OpenSSL regarding fixes
> |> for this problem  ?
> | (...)
> |>  Firefox 3.6 causes SSL enabled web servers to core dump in libssl,
> |> when running on NetBSD 5.0 and its libssl.so.6.
> | Hi
> | Since you are reusing the thread about TLS renegociation bug, I'd like
> | to be sure: there is a workaround for that in 5.0.2, right?
> At the firefox client end; yes.
> At the server end; I'm not sure if disabling TLSv1 in apache2
> avoids the problem.
> IMHO, it is not acceptable that a remote client can cause a core dump
> in a server application, or library that the latter uses...
Warning: Generally uninformed response follows...
We've been adding the following line to Apache to prevent FF3.6 from
causing an issue at the server end:
SSLProtocol all -TLSv1
While it's apparently taking care of the issue for browsers, it has made
our NMS (Java) unhappy... but that's another story.
The OpenSSL changelog under *"*Changes between 0.9.8l and 0.9.8m [25
Feb 2010]" mentions renegotiation in few ways, which I've been told
"resolves" said issue. While the version in question is in pkgsrc, I've
not made the time to give it a try just yet; given that I don't have a
vicious understanding of the issue itself, it may well be a red-herring.
A number of our affected systems are 5.0.2, so I'd have to say no...
there's no workaround in place.
Main Index |
Thread Index |