On Sun, Nov 15, 2009 at 12:54:11PM +0200, Eren T?rkay wrote:
> On Wednesday 11 November 2009 10:16:54 am Tomas Hoger wrote:
> > 0.9.8-stable does send an alert and tears down connection immediately.
> > So the behavior in 0.9.8l was not really intended.
>
> Will the new version of the package be released for this issue? In 0.9.8l
> release, the connection just hangs as Tomas said. Should we update the
> package
This is starting to pose a major problem for external parties trying to
update their packaged OpenSSL versions.
I see two basic issues:
1) 0.9.8l and everything else have *different* APIs for control of
unsafe legacy renegotiation. That is very bad as if it persists
for any length of time 3rd-party vendors shipping OpenSSL will
have to support *both* APIs.
2) 0.9.8l does the wrong thing when a renegotiation's requested,
hanging as described above.
I know 0.9.8-stable snapshots have these bugs fixed and much more (e.g. the
new TLS renegotiation extension). However, there are a couple of thousand
lines of diffs between 0.9.8{k,l} and the snapshots. That makes life hard
for anyone trying to track OpenSSL in an external source tree too.
Would it be possible to get an 0.9.8m release which is just the 0.9.8l
quick fix but with the two bugs listed above corrected? It would make
life a lot easier for everyone in the long run, I believe, by helping
restrain propogation of the wrong-API for renegotiation control.
Thor
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
