sandeep kiran p wrote: > Ours is an LDAP directory enabled application where we use SSL/TLS to > protect binds to the directory. Right now we are using OpenSSL 0.9.8g to > do this. Our application depends on external directory servers for > authentication which are not maintained by us. So it is only the client > side of SSL/TLS that we are concerned with. > > My question here is, with the above setup, are we also affected by the > renegotiation attack (CVE-2009-3555)? Should we also upgrade to OpenSSL > 0.9.8l? If I understand the attack correctly, it only affects servers > that support renegotiation since the client is not aware that the server > actually requests a renegotiation. Or are there any other scenarios > where my client could also be affected?
Kurt Zeilenga posted an analysis about this for LDAP: http://www.ietf.org/mail-archive/web/ldapext/current/msg01829.html Ciao, Michael. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org