pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Apache and TLS renegocitation

> 1) a fixed OpenSSL.
> NetBSD-SA2010-002 says netbsd-5 and netbsd-5-0 were fixed on 2010-01-12,
> and 5.0.2 and 5.1 were released later, so theses to releases should be
> alright.

"fixed" means here that SSL renegotiation was disabled. There is a way
to enable it (FLAG_UNSAFE_LEGACY_RENEGOTIATION). This was introduced
in OpenSSL-0.9.8l and immediately dropped in 0.9.8m because it was
considered wrong. This was pulled into NetBSD-5 but it is almost
useless because not supported by modern software. It is also problematic
because the same flag value was reused by OpenSSL>=1.0 for
something different.
While the OpenSSL in 5.1 calls itself "0.9.9-devel", it does not
implement RFC5746 which was introduced in 0.9.8m.

> 2) a fixed apache that supports RFC 5746. According to this document,
> 2.2.15 seems to support RFC 5746

Yes, but it does not support the short-lived FLAG_UNSAFE_LEGACY_RENEGOTIATION
which is the only way to get renegotiation with the OpenSSL version
in NetBSD-5.1.

You could try to build apache against pkgsrc/openssl which is 0.9.8q
and thus supports RFC5746. (and the OP_UNSAFE_LEGACY_RENEGOTIATION
option which can also be used by apache according to "grep")

best regards

Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDirig Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt

Besuchen Sie uns auf unserem neuen Webauftritt unter

Home | Main Index | Thread Index | Old Index