On Sat, Apr 03, 2010 at 10:27:44PM +0200, Manuel Bouyer wrote: | On Thu, Apr 01, 2010 at 04:02:53PM +1100, Luke Mewburn wrote: | > At the firefox client end; yes. | > | > At the server end; I'm not sure if disabling TLSv1 in apache2 | > avoids the problem. | > | > IMHO, it is not acceptable that a remote client can cause a core dump | > in a server application, or library that the latter uses... | | Can you see if the attached patch fixes your problem ? | It does for a similar issue with freeradius for me. | I reported this to openssl, but their anserw so far has been "try 1.0.0, | this may have been fixed". I didn't see anything in the changelog or | sources that would confirm it's fixed. That patch appears to fix the problem. I removed the "SSLProtocol all -TLSv1" workaround from httpd.conf, reproduced the problem with the original libssl.so.6.0 (as expected), installed a new libssl.so.6.0 with your fix, restarted apache, and the problem has gone. I think that this fix should be pulled into netbsd-5 ASAP Good work! cheers, Luke.
Attachment:
pgpH3Adp9BxaQ.pgp
Description: PGP signature