Hello! On Sat, Dec 19, 2009 at 03:23:57AM -0800, Chris H wrote:
> On Sat, December 19, 2009 3:13 am, Maxim Dounin wrote: > > Hello! > > > > > > On Sat, Dec 19, 2009 at 09:58:49AM +0100, H. Ingow wrote: > > > > > > [...] > > > > > >> Please try to compile your application against the version of openssl > >> available in the ports tree. > >> > >> As you already mentioned (SA-09:15) breaks renegotiation with base system's > >> openssl by fixing a security issue ( it actually does). > >> > >> Prerequisite for the following is, of course, to install > >> /usr/ports/security/openssl which will give you > >> openssl 0.9.8l . (You do not necessarily have to remove the base openssl) > > > > OpenSSL 0.9.8l has renegotiation disabled too, this won't help. > > > > > > The only difference is that 0.9.8l has some means to re-enable > > legacy renegotiation which may be utilized by applications which are aware > > of the > > problem. > Which is exactly what's required to implement your previous suggestion. :) No, my previous suggestion is unrelated. Additionally, to re-enable renegotiation in openssl 0.9.8l you need an application which is able to set SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s->s3->flags. I haven't seen any yet, and google codesearch is able to find only one such app (proftpd). Maxim Dounin _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"