Hello! On Fri, Dec 18, 2009 at 05:32:41PM -0800, Chris H wrote:
> Greetings, > A recent (cvs checkout of src/ports on 2009-12-09) install of 8 seems to > indicate > that changes in SSL have made it virtually unusable. I've spent the past 3 > days > attempting to (re)create an SSL enabled virtual host that serves web based > access > to local mail. Since it's local, I'm using self-signed certs following a > scheme > that > has always worked flawlessly for the past 9 yrs. However, now having > installed 8, > it isn't working. The browser(s) throw "ssl_error_handshake_failure_alert" > (ff-3.56). > Other gecko based, and non-gecko based UA's throw similar, as well as > openssl's > s_client. After immense research, the only thing I can find that might best > explain > it is a recent SA patch applied to FreeBSD's src (SA-09:15). After reading > what the > patch provides. I am able to better understand the error messages thrown to > /var/messages when attempting to negotiate a secure session in a UA: [...] > So, if I understand things correctly. The patch prevents (re)negotiation. > Making > the likelihood of a successful "handshake" near null (as the log messages > above > show). I'm sure that some may be quick to point the finger at the self-signed > cert being more likely the cause, I should add that while in fact quite > unlikely, > I too didn't completely rule that out. So I purchased one from startssl - > money > wasted. The results were the same. So it would appear that until something > else > is done to overcome the hole in current openssl, my only recourse is to back > the > patch out, and rebuild openssl && all affected ports - no? If you are using Apache as server, you may consider using server-wide SSLVerifyClient (instead of per-location ones which require renegotiation). Maxim Dounin _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[email protected]"
