On 03/03/2010 07:02 PM, William A. Rowe Jr. wrote:
On 3/3/2010 11:50 AM, Stefan Fritsch wrote:
On Wednesday 03 March 2010, Mladen Turk wrote:
BTW, I wouldn't recommend to compile against 0.9.8m.
openssl s_client< 0.9.8m block on renegotiation
Have you only tried 0.9.8l as client? It has a known bug with
renegotiation that makes it hang instead of fail.
I have no problems with 0.9.8c and 0.9.8g (from Debian 4.0 and 5.0).
If SSLInsecureRenegotiation is on, it works. If
SSLInsecureRenegotiation is off, I get an "sslv3 alert handshake
failure".
And the bug is specific to openssl< 0.9.8m mishandling the alert; it will
neither abort nor resume the prior session, so it is left to timeout. You
may want to contrast this behavior to legacy IE, Firefox, etc.
Right, and I'm afraid if SSLInsecureRenegotiation (default) isn't set
while compiled with 0.9.8m one can easily create an DoS attack.
I might be wrong, but if the client is 0.9.8k it just stays
connected for server timeout. Sure it's disconnected if
SSLInsecureRenegotiation is set, but then what's the point?
Regards
--
^TM
