SSL appears to be broken in 8-STABLE/RELEASE
Maxim Dounin
mdounin at mdounin.ru
Sat Dec 19 12:29:17 UTC 2009
Hello!
On Sat, Dec 19, 2009 at 03:23:57AM -0800, Chris H wrote:
> On Sat, December 19, 2009 3:13 am, Maxim Dounin wrote:
> > Hello!
> >
> >
> > On Sat, Dec 19, 2009 at 09:58:49AM +0100, H. Ingow wrote:
> >
> >
> > [...]
> >
> >
> >> Please try to compile your application against the version of openssl
> >> available in the ports tree.
> >>
> >> As you already mentioned (SA-09:15) breaks renegotiation with base system's
> >> openssl by fixing a security issue ( it actually does).
> >>
> >> Prerequisite for the following is, of course, to install
> >> /usr/ports/security/openssl which will give you
> >> openssl 0.9.8l . (You do not necessarily have to remove the base openssl)
> >
> > OpenSSL 0.9.8l has renegotiation disabled too, this won't help.
> >
> >
> > The only difference is that 0.9.8l has some means to re-enable
> > legacy renegotiation which may be utilized by applications which are aware of the
> > problem.
> Which is exactly what's required to implement your previous suggestion. :)
No, my previous suggestion is unrelated.
Additionally, to re-enable renegotiation in openssl 0.9.8l you
need an application which is able to set
SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s->s3->flags. I
haven't seen any yet, and google codesearch is able
to find only one such app (proftpd).
Maxim Dounin
More information about the freebsd-stable
mailing list