Date: Wed, 18 Nov 2009 07:18:55 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Daniel <da@lonx.net> Cc: freebsd-security@freebsd.org Subject: Re: Openssl TLS Reneg "Bug" Message-ID: <4B039FDF.4010704@infracaninophile.co.uk> In-Reply-To: <1e50fb510911170347t59ba964dhf3110980a5e70161@mail.gmail.com> References: <1e50fb510911170347t59ba964dhf3110980a5e70161@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig153885142E30B08B0AB1F060 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Daniel wrote: > Dear List, > new here so sorry if I am missing any important points. I was > wondering#: Does anyone know of the status of the "amended" openssl > packages for FreeBSD. I'd like to try running our site with "reneg > off", but I can't seem to find any notion of this on freebsd sites ? > Any ideas, pointers ? The only way of doing that at present is to use openssl-0.9.8l which has simply had the renegotiation stuff diked out of it. That's available= as the security/openssl port, but be aware that you will have to=20 rebuild any SSL-aware application to link against the shlibs it installs. The fix in 0.9.8l is an interim measure which cripples certain openssl functionality: installing it may cause websites to malfunction, so make sure you have good backups and have thought about how you can back the change out if needed. openssl-0.9.8m will provide the corrected renegotiation mechanisms as described in=20 https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renego= tiate.txt However, 0.9.8m has not yet been released. I'd assume that this will probably be the subject of a FreeBSD Security Advisory once the fixes are available, and that supported FreeBSD branches will be updated to 0.9.8m or otherwise patched to the same effect in the base system. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig153885142E30B08B0AB1F060 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAksDn+AACgkQ8Mjk52CukIwG8gCfW9Tpgy6D64DA/Li2fzMUvv/g Yc8AoIdcA3UgLo8WvKt+Xq2kpD/dzI/R =D5I1 -----END PGP SIGNATURE----- --------------enig153885142E30B08B0AB1F060--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B039FDF.4010704>