Maxim Dounin writes:
While talking about often - do you have any stats? Anyway, this is
quite a differenet from all client cert-powered apps you stated in your
previous message.
IIS defaults to renegotiation when doing client cert auth, and Apache
certainly can (possibly must? I don't know)
Actually, pretty much anyone who uses client certificates in an
enterprise environment is likely to have a problem with this, which is
why the IETF TLS working group is working on publishing a protocol
fix. It looks like that RFC should be published, at Proposed
Standard, in a few weeks, and
Bogdan Ćulibrk b...@default.rs writes:
This advisory kinda made big problem here in local (things stopped
working). I had to do rollback this update because of session
renegotiation breakage.
That's the whole point, the patch disables session renegotiation because
it's fundamentally broken.
Dag-Erling Smørgrav wrote:
Bogdan Ćulibrk b...@default.rs writes:
This advisory kinda made big problem here in local (things stopped
working). I had to do rollback this update because of session
renegotiation breakage.
That's the whole point, the patch disables session renegotiation because
Bogdan Ćulibrk b...@default.rs writes:
basically whole communication between two application relied on using
exactly this funcionality in openssl.
In that case, the only choice you have is to revert to the previous
version...
DES
--
Dag-Erling Smørgrav - d...@des.no
Dan Lukes d...@obluda.cz writes:
Even after the patch has been installed, my browser is still able to
connect to SSL aware HTTP servers. My MUA is still sending/receiving
emails over SMTP/SSL and IMAP/SSL ...
Do you use client-side certificates?
I'm not saying you have no problem, i'm saying
Actually, pretty much anyone who uses client certificates in an
enterprise environment is likely to have a problem with this, which
is
why the IETF TLS working group is working on publishing a protocol
fix. It looks like that RFC should be published, at Proposed
Standard, in a few
Dag-Erling Smørgrav d...@des.no writes:
The correct anser is:
answer, even
DES
--
Dag-Erling Smørgrav - d...@des.no
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail
Dag-Erling Sm??rgrav writes:
Do you use client-side certificates?
This is probably the original poster's problem. FreeBSD Security Advisory
FreeBSD-SA-09:15.ssl made clear that the patch fixes the protocol bug by
removing the broken feature (session renegotiation), but stated incorrectly
Hello!
On Thu, Dec 10, 2009 at 10:37:18AM -0800, Chris Palmer wrote:
Dag-Erling Sm??rgrav writes:
Do you use client-side certificates?
This is probably the original poster's problem. FreeBSD Security Advisory
FreeBSD-SA-09:15.ssl made clear that the patch fixes the protocol bug
Maxim Dounin writes:
It's not true. Patch (as well as OpenSSL 0.9.8l) breaks only apps that do
not request client certs in initial handshake, but instead do it via
renegotiation. It's not really commonly used feature.
The ideal case is not the typical case:
Michal m...@infosec.pl writes:
Is there a way to reinstall just these libraries or to get them from
the net in a secure manner i.e. signed?
# freebsd-update fetch install
DES
--
Dag-Erling Smørgrav - d...@des.no
___
freebsd-security@freebsd.org
Dag-Erling Smørgrav wrote:
Michal m...@infosec.pl writes:
Is there a way to reinstall just these libraries or to get them from
the net in a secure manner i.e. signed?
# freebsd-update fetch install
It is what I was looking for, thank you very much.
Michal
--
Power tends to corrupt, and
FreeBSD Security Advisories wrote:
b) Execute the following commands as root:
# cd /usr/src
# patch /path/to/patch
# cd /usr/src/secure/lib/libcrypto
# make obj make depend make includes make make install
NOTE: On the amd64 platform, the above procedure will not update the
lib32 (i386
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
=
FreeBSD-SA-09:15.sslSecurity Advisory
The FreeBSD Project
Topic:
Hi,
=
FreeBSD-SA-09:15.sslSecurity Advisory
The FreeBSD Project
[..]
b) Execute the following commands as root:
# cd
Thu, Dec 03, 2009 at 02:09:36PM +0100, Niels Bakker wrote:
=
FreeBSD-SA-09:15.sslSecurity Advisory
The FreeBSD Project
On Thu, 3 Dec 2009 09:30:39 GMT, FreeBSD Security Advisories
security-advisor...@freebsd.org said:
NOTE WELL: This update causes OpenSSL to reject any attempt to renegotiate
SSL / TLS session parameters. As a result, connections in which the other
party attempts to renegotiate session
18 matches
Mail list logo
