Re: SSL renegociation vulnerability

To: tech-security%netbsd.org@localhost
Subject: Re: SSL renegociation vulnerability
From: christos%astron.com@localhost (Christos Zoulas)
Date: Sat, 5 Dec 2009 03:30:57 +0000 (UTC)

In article <20091204162709.GA11270%panix.com@localhost>,
Thor Lancelot Simon  <tls%panix.com@localhost> wrote:
>On Fri, Dec 04, 2009 at 01:13:52AM -0500, Brian Seklecki wrote:
>> 
>> However, I can confirm that:
>> 
>>   http://security.FreeBSD.org/patches/SA-09:15/ssl.patch
>
>If this is the patch from OpenSSL 0.9.8l it should not be applied to
>NetBSD; it is broken and introduces both forward *and* backwards API
>and ABI incompatibility.

Unfortunately I have not seen anything in the head of the OpenSSL tree
that addresses this issue so I have applied a similar patch to FreeBSD
that disables renegotiation completely for now. I would like to have
a better solution, but I don't see one.

christos

Follow-Ups:
- Re: SSL renegociation vulnerability
  - From: Thor Lancelot Simon

References:
- Re: SSL renegociation vulnerability
  - From: Emmanuel Dreyfus
- Re: SSL renegociation vulnerability
  - From: Brian Seklecki
- Re: SSL renegociation vulnerability
  - From: Thor Lancelot Simon

Prev by Date: Re: SSL renegociation vulnerability
Next by Date: Re: SSL renegociation vulnerability
Previous by Thread: Re: SSL renegociation vulnerability
Next by Thread: Re: SSL renegociation vulnerability
Indexes:

Home | Main Index | Thread Index | Old Index