On Sat, Jan 30, 2010 at 04:07:59PM -0700, [email protected] wrote 2.6K bytes in 72 lines about: : If you have Vidalia.app containing tor 0.2.1.22, and you've also : installed Apple's "Mac OS X Security Update 2010-001", you'll have : noticed that Apple made some errors in their TLS renegotiation.
Thanks for the detail writeup. Perhaps you want to view https://bugs.torproject.org/flyspray/index.php?do=details&id=1225 and the comments. Or perhaps http://archives.seul.org/or/talk/Jan-2010/msg00253.html for the current state of packages and fixes. : Apple removed TLS renegotiation even for apps that both need TLS : renegotiation and do it safely. Apple did this in spite of the upstream : OpenSSL project having fixed the renegotiation vulnerability more : sanely. Apple is apparently using a partial back-port of the fix. Technically, they just disabled it. You can enable tls renegotiation by setting CPPFLAGS='-DSSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION=0x0010' in front of configure. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject *********************************************************************** To unsubscribe, send an e-mail to [email protected] with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
