On 08/05/2014 09:06 PM, Simo Sorce wrote: > Yeah I know it is broken, does it mean you want to have it disabled and > return an error if requested until a fixed openssl library/call is > available ?
Not only did i not have a concrete proposal, I don't have any particular say in the matter -- i'm not on the apache team :) I just wanted to make sure that adopting/incorporating something like this is done with knowledge of the state of the art. That said, i do like the idea that such a mechanism would be able to indicate to the user whether a given connection is using a tls-unique based on the revised session hash, or if it is using the old (broken) mechanism. Whether that's best handled as an error response or some other approach, i'm not sure. Regards, --dkg
signature.asc
Description: OpenPGP digital signature