[[EMAIL PROTECTED] - Fri Jun 7 14:22:15 2002]:
> even though Netscape still works, this should be considered a bug since > IE is now broken when in the past it worked fine It is a bug in IE, not in OpenSSL. Note that the problem is avoided when using RC4 ciphersuites, and these are typically preferred by most clients anyway. However OpenSSL clients prefer 3DES ciphersuites by default, so interoperability problems of OpenSSL clients with broken servers must be expected. Future versions of OpenSSL will be modified so that the CBC security workaround that caused these problems with some broken SSL/TLS implementations can be disabled. We have to decide whether to give higher priority to security (enable the workaround by default and let applications that don't need it, such is Apache with mod_ssl or Apache-SSL, disable it) or to interoperability (disable the workaround by default and rely on applications to enable it when it is needed). ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
