On Fri, Feb 26, 2010 at 12:17:14PM +0100, Rainer Jung wrote: > Isn't 0.9.8m by default still allowing unsafe renegs? So updated > clients will be safe, but the server doesn't enforce the safetyness > (and reject unsafe client).
No, OpenSSL now only allows secure reneg by default, so this is backwards-incompatible with unpatched clients by default. > trunk already contains a patch by Joe that allows the admin to > decide, whether he wants to reject unsafe reneg or not. > > The revisions of the patch and some additiona to it are: > > 906039 > 906057 > 906067 > 906116 > 906454 > 906485 > 906491 > 906493 > 908015 > > I guess backporting is pretty straightforward. Wouldn't it be nice > to already support this with 2.2.15? > > Joe, do you already have a candidate, or should I suggest a backport > patch myself? I'm working on this today. To answer Ruediger's question: yes, the stuff in trunk should work with 0.9.8m since the API is the same, but I haven't tested it yet. Regards, Joe