Hi, I backported the patch against CVE-2009-3555 from Apache trunk, 2.2 and 2.0 (proposed). The patch is available at
http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41.patch CVE-2009-3555 is about the Man in the Middle attack against HTTPS. The patch disables the use of client initiated SSL renegotiation. Server initiated reneg is still allowed (and vulnerable). See also: http://svn.apache.org/viewvc?rev=833582&view=rev http://svn.apache.org/viewvc?rev=833622&view=rev http://people.apache.org/~rjung/patches/cve-2009-3555_httpd_2_0_x-v2.patch Backport is not totally straightforward, because the original patches use the filter architecture not present in Apache 1.3. Any Feedback on the patch is welcome. Some additional debug output can be activated by using -DRENEG_DEBUG. Regards, Rainer ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager majord...@modssl.org
