On 11/09/2009 10:39 AM, Boyle Owen wrote: >> -----Original Message----- >> From: Dirk-Willem van Gulik [mailto:[email protected]] >> Sent: Saturday, November 07, 2009 12:28 AM >> To: [email protected] >> Subject: Re: TLS renegotiation attack, mod_ssl and OpenSSL >> >> +1 from me. (FreeBSD, Solaris). Test with and without certs (firefox, >> safari, openssl tool). Tested with renegotion break script openssl. > > Can I just verify what is supposed to happen with the break script test? > > I have built 2.2.14 with 0.9.8l on Solaris 10. I do: > > $ openssl -connect wibble:443 > ... > GET / HTTP/1.1 =20 > Host:wibble > R > RENEGOTIATING > > Then the connection hangs and I get no further data back from the > server. On http://wibble/server-status, I see: > > 6-0 17718 0/1/1 R 0.14 31 90 0.0 0.00 0.00 ? ? ..reading.. > > Is this the intended behaviour? I thought it was supposed to drop the > connection?
Dirks tests are about the httpd patch (http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/CVE-2009-3555-2.2.patch) which drops the connection. Not sure what openssl 0.9.8l does or what the intended behaviour is. You might need to ask on the openssl dev list about that. Regards RĂ¼diger
