Openssl TLS Reneg "Bug"

[Matthew Seaman]

Daniel wrote:
> Dear List,
> new here so sorry if I am missing any important points. I was
> wondering#:   Does anyone know of the status of the "amended" openssl
> packages for FreeBSD. I'd like to try running our site with "reneg
> off", but I can't seem to find any notion of this on freebsd sites ?
> Any ideas, pointers ?

The only way of doing that at present is to use openssl-0.9.8l which
has simply had the renegotiation stuff diked out of it.  That's available
as the security/openssl port, but be aware that you will have to 
rebuild any SSL-aware application to link against the shlibs it
installs.

The fix in 0.9.8l is an interim measure which cripples certain openssl
functionality: installing it may cause websites to malfunction, so make
sure you have good backups and have thought about how you can back the
change out if needed.

openssl-0.9.8m will provide the corrected renegotiation mechanisms as
described in 

https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt

However, 0.9.8m has not yet been released.  I'd assume that this will
probably be the subject of a FreeBSD Security Advisory once the fixes
are available, and that supported FreeBSD branches will be updated to
0.9.8m or otherwise patched to the same effect in the base system.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20091118/4e898e6b/signature.pgp