On 5/6/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
The patch in PR#1204 as I understand it turns a common false positive in correct implementations into a much rarer false negative on incorrect implementations so if nothing better can be thought of that may be a usable compromise. However if the bug is widespread that may result in an increase in failed connections, possibly after the intial handshake I'd guess with "bad record mac" errors.
So. How best to handle this? Tell admins in the release notes that you're going to keep an eye on the number of 'bad record mac' errors, and if there's a much larger number than normal that you're going to send a message to syslog saying they should report back to the OpenSSL team? I believe the TLS block padding bug was related to early implementations of TLS in IE 4 or 5, but I cannot remember the history reliably. (This is, IIRC, why TLS 1.0 is disabled by default in most everything pre-IE7.) -Kyle H ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]