On 08/05/2014 09:06 PM, Simo Sorce wrote: > Yeah I know it is broken, does it mean you want to have it disabled and > return an error if requested until a fixed openssl library/call is > available ?
Not only did i not have a concrete proposal, I don't have any particular
say in the matter -- i'm not on the apache team :) I just wanted to
make sure that adopting/incorporating something like this is done with
knowledge of the state of the art.
That said, i do like the idea that such a mechanism would be able to
indicate to the user whether a given connection is using a tls-unique
based on the revised session hash, or if it is using the old (broken)
mechanism. Whether that's best handled as an error response or some
other approach, i'm not sure.
Regards,
--dkg
signature.asc
Description: OpenPGP digital signature
