On Fri, 2009-11-20 at 01:52 +0100, Ondra Kudlik wrote: > Čt, lis 12, 2009 ve 04:55:22 +0100, Robert Segall napsal: > > On Wed, 2009-11-11 at 16:01 -0500, (private) HKS wrote: > > > http://www.kb.cert.org/vuls/id/120541 > > > > > > I assume Pound is vulnerable to this since it seems to be a flaw in > > > the actual protocol design, but can anyone confirm? > > > > Yes, Pound suffers from the same problem (as you correctly note, this is > > really a SSL issue). We hope this will be fixed in some upcoming OpenSSL > > version. > > We all hope it will be, but is there any possiblity you make a > workaround on this directly in Pound while waiting? By workaround I > mean just disable renegotiation in pound. > > Whole problem is that not everybody is able to use newest version of > openssl which disable renegotiations at all (not enough skills to > compile it for distributions or fear that it breaks many other applications). > > Thanks for considering > > Ondra 'Kepi' Kudlik
As far as I know a patched OpenSSL version is out. A work-around on our side would probably be quite complex, so I'd rather skip it if possible. Opinions are welcome. -- Robert Segall Apsis GmbH Postfach, Uetikon am See, CH-8707 Tel: +41-44-920 4904 -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
