> Probably not intended, at least behavior of current 0.9.8-stable CVS
is
> different now. See my mail with quite similar question:
> http://marc.info/?l=openssl-dev&m=125792743829558&w=2
Thanks Tomas, interesting post... I have tested various builds against
the client renegotiation vulnerability and get the following results:
httpd-2.2.14 (unpatched) with openssl-0.9.8l:
connection "hangs", both sides reading connection
httpd-2.2.14 (with CVE-2009-3555-2.2.patch) with openssl-0.9.8l:
connection "hangs", both sides reading connection
httpd-2.2.14 (with CVE-2009-3555-2.2.patch) with openssl-0.9.8k:
connection dropped by server with:
25217:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:534:
I don't want to risk connections getting hung up, so my conclusion is
that I should deploy the patched version of mod_ssl with 0.9.8k. Or is a
0.9.8m in the offing?
Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.
PS: Test method:
$ openssl s_client -connect wibble:443
...
GET / HTTP/1.1
Host:wibble
R
PPS: Although I have subscribed to this list, I am not getting the mails
(I have to keep checking the archives). Is there anyone who can check
out my account?
This message is for the named person's use only. It may contain confidential,
proprietary or legally privileged information. If you receive this message in
error, please notify the sender urgently and then immediately delete the
message and any copies of it from your system. Please also immediately destroy
any hardcopies of the message.
The sender's company reserves the right to monitor all e-mail communications
through their networks.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
