Date: Sat, 19 Dec 2009 15:29:14 +0300 From: Maxim Dounin <mdounin@mdounin.ru> To: Chris H <chris#@1command.com> Cc: freebsd-stable@freebsd.org Subject: Re: SSL appears to be broken in 8-STABLE/RELEASE Message-ID: <20091219122914.GJ43547@mdounin.ru> In-Reply-To: <0edc3b334fc301f51193354f7a0da61b.HRCIM@webmail.1command.com> References: <f7206c210912190058u36222a04ge474279af10c9990@mail.gmail.com> <20091219111339.GH43547@mdounin.ru> <0edc3b334fc301f51193354f7a0da61b.HRCIM@webmail.1command.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello! On Sat, Dec 19, 2009 at 03:23:57AM -0800, Chris H wrote: > On Sat, December 19, 2009 3:13 am, Maxim Dounin wrote: > > Hello! > > > > > > On Sat, Dec 19, 2009 at 09:58:49AM +0100, H. Ingow wrote: > > > > > > [...] > > > > > >> Please try to compile your application against the version of openssl > >> available in the ports tree. > >> > >> As you already mentioned (SA-09:15) breaks renegotiation with base system's > >> openssl by fixing a security issue ( it actually does). > >> > >> Prerequisite for the following is, of course, to install > >> /usr/ports/security/openssl which will give you > >> openssl 0.9.8l . (You do not necessarily have to remove the base openssl) > > > > OpenSSL 0.9.8l has renegotiation disabled too, this won't help. > > > > > > The only difference is that 0.9.8l has some means to re-enable > > legacy renegotiation which may be utilized by applications which are aware of the > > problem. > Which is exactly what's required to implement your previous suggestion. :) No, my previous suggestion is unrelated. Additionally, to re-enable renegotiation in openssl 0.9.8l you need an application which is able to set SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s->s3->flags. I haven't seen any yet, and google codesearch is able to find only one such app (proftpd). Maxim Dounin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091219122914.GJ43547>