I was unaware you're using 1.0.x. I use Debian, and squeeze still uses 0.9.8.
To that end, I've whipped up http://goochfriend.org/0001-port-SSL-Renegotiation-patch-to-2.6f.patch See if that hooks you up. Disclaimers though: 1) My branch of Pound is a little different, since I have a lot more homebrew patches in the mix. It should apply, and I verified it compiles. 2) I verified the thc exploit confirms no renegotiation on my branch 3) I was testing w/ squeeze so that's OpenSSL 0.9.8o So YMMV, but let me know if you run into any problems and how it works for you. If it solves the problem maybe Robert can clean it up and make it a config option or something similar. Should probably have config options for allowing insecure renegotiation (for those stuck with MSIE problems), and other options to disable renegotiation entirely. Joe > -----Original Message----- > From: Jorge Fábregas [mailto:[email protected]] > Sent: Tuesday, November 01, 2011 9:18 PM > To: [email protected] > Subject: Re: [Pound Mailing List] SSL renegotiation DDoS and Pound > > On 10/26/2011 12:56 PM, Joe Gooch wrote: > > Did you try compiling with Openssl 0.9.8l? > > Is it worth going back to OpenSSL 0.9.8l (from 1.0.x) and therefore > ignore all bug & security fixes that went afterwards? I don't think > so. > > I still, however, would like to disable renegotiation but, apparently, > this is not trivial with OpenSSL. > > Regards, > Jorge > > p.d. still surprised that people here are not commenting on this - > considering the easy to use exploit is out there :( > > -- > To unsubscribe send an email with subject unsubscribe to > [email protected]. > Please contact [email protected] for questions. -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
