NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: TLS renegociation bug: time for OpenSSL upgrade?

On Sat, Apr 03, 2010 at 10:27:44PM +0200, Manuel Bouyer wrote:
  | On Thu, Apr 01, 2010 at 04:02:53PM +1100, Luke Mewburn wrote:
  | > At the firefox client end; yes.
  | > 
  | > At the server end; I'm not sure if disabling TLSv1 in apache2
  | > avoids the problem. 
  | > 
  | > IMHO, it is not acceptable that a remote client can cause a core dump
  | > in a server application, or library that the latter uses...
  | Can you see if the attached patch fixes your problem ?
  | It does for a similar issue with freeradius for me.
  | I reported this to openssl, but their anserw so far has been "try 1.0.0,
  | this may have been fixed". I didn't see anything in the changelog or
  | sources that would confirm it's fixed.

That patch appears to fix the problem.

I removed the "SSLProtocol all -TLSv1" workaround from httpd.conf,
reproduced the problem with the original (as expected),
installed a new with your fix, restarted apache,
and the problem has gone.

I think that this fix should be pulled into netbsd-5 ASAP

Good work!


Attachment: pgpH3Adp9BxaQ.pgp
Description: PGP signature

Home | Main Index | Thread Index | Old Index