Re: SSL appears to be broken in 8-STABLE/RELEASE

2009-12-19 Thread Maxim Dounin
Hello! On Sat, Dec 19, 2009 at 05:23:53AM -0800, Chris H wrote: [...] > Indeed. I understand that. In fact my OP (original post) indicated my use was > in a "vhost" - eg; > NameVirtualHost host.ip.add.ress:443 > > SSLEnable > SSLVerifyClient (options 0-3;none work) > SSLRequireSSL > SSLNoV2 >

Re: SSL appears to be broken in 8-STABLE/RELEASE

2009-12-19 Thread Chris H
Hello Maxim, and thank you again for your reply. On Sat, December 19, 2009 3:54 am, Maxim Dounin wrote: > Hello! > > > On Sat, Dec 19, 2009 at 03:18:21AM -0800, Chris H wrote: > > >> Hello Maxim, and thank you for taking the time to reply. >> On Sat, December 19, 2009 2:14 am, Maxim Dounin wrote: >

Re: SSL appears to be broken in 8-STABLE/RELEASE

2009-12-19 Thread Sean
On 19/12/2009, at 11:29 PM, Maxim Dounin wrote: > > No, my previous suggestion is unrelated. > > Additionally, to re-enable renegotiation in openssl 0.9.8l you > need an application which is able to set > SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s->s3->flags. I > haven't seen any yet,

Re: SSL appears to be broken in 8-STABLE/RELEASE

2009-12-19 Thread H. Ingow
Sorry if my proposal won't fit in this case and thanks, Maxim for clearing out what exactly to be aware of to have applications run with openssl .0.9.8l But for the sake of completeness /usr/ports/security/tor-devel is very well capable of handling re-negotiation. see src/common/tortls.c and gr

Re: SSL appears to be broken in 8-STABLE/RELEASE

2009-12-19 Thread Maxim Dounin
Hello! On Sat, Dec 19, 2009 at 03:23:57AM -0800, Chris H wrote: > On Sat, December 19, 2009 3:13 am, Maxim Dounin wrote: > > Hello! > > > > > > On Sat, Dec 19, 2009 at 09:58:49AM +0100, H. Ingow wrote: > > > > > > [...] > > > > > >> Please try to compile your application against the version of op

Re: SSL appears to be broken in 8-STABLE/RELEASE

2009-12-19 Thread Maxim Dounin
Hello! On Sat, Dec 19, 2009 at 03:18:21AM -0800, Chris H wrote: > Hello Maxim, and thank you for taking the time to reply. > On Sat, December 19, 2009 2:14 am, Maxim Dounin wrote: > > Hello! > > > > > > On Fri, Dec 18, 2009 at 05:32:41PM -0800, Chris H wrote: > > > > > >> Greetings, > >> A recent

Re: SSL appears to be broken in 8-STABLE/RELEASE

2009-12-19 Thread Chris H
On Sat, December 19, 2009 3:13 am, Maxim Dounin wrote: > Hello! > > > On Sat, Dec 19, 2009 at 09:58:49AM +0100, H. Ingow wrote: > > > [...] > > >> Please try to compile your application against the version of openssl >> available in the ports tree. >> >> As you already mentioned (SA-09:15) breaks r

Re: SSL appears to be broken in 8-STABLE/RELEASE

2009-12-19 Thread Chris H
Hello Maxim, and thank you for taking the time to reply. On Sat, December 19, 2009 2:14 am, Maxim Dounin wrote: > Hello! > > > On Fri, Dec 18, 2009 at 05:32:41PM -0800, Chris H wrote: > > >> Greetings, >> A recent (cvs checkout of src/ports on 2009-12-09) install of 8 seems to >> indicate that chan

Re: SSL appears to be broken in 8-STABLE/RELEASE

2009-12-19 Thread Maxim Dounin
Hello! On Sat, Dec 19, 2009 at 09:58:49AM +0100, H. Ingow wrote: [...] > Please try to compile your application against the version of openssl > available in the ports tree. > > As you already mentioned (SA-09:15) breaks renegotiation with base system's > openssl by fixing > a security issue (

Re: SSL appears to be broken in 8-STABLE/RELEASE

2009-12-19 Thread Chris H
Greetings, and thank you for taking the time to respond. On Sat, December 19, 2009 12:58 am, H. Ingow wrote: > First my apologies for breaking the thread. > We also had this issue and tried to find an acceptable solution. > To make a long story short: > > > Please try to compile your application ag

Re: SSL appears to be broken in 8-STABLE/RELEASE

2009-12-19 Thread Chris H
Greetings Matthew, and thank you very much for your reply. On Sat, December 19, 2009 12:33 am, Matthew Seaman wrote: > Chris H wrote: > >> Greetings, >> A recent (cvs checkout of src/ports on 2009-12-09) install of 8 seems to >> indicate that changes in SSL have made it virtually unusable. I've spe

Re: SSL appears to be broken in 8-STABLE/RELEASE

2009-12-19 Thread Chris H
Greetings Clifton, and thank you for your reply. On Sat, December 19, 2009 12:16 am, Clifton Royston wrote: > On Fri, Dec 18, 2009 at 05:32:41PM -0800, Chris H wrote: > >> Greetings, >> A recent (cvs checkout of src/ports on 2009-12-09) install of 8 >> seems to indicate that changes in SSL have mad

Re: SSL appears to be broken in 8-STABLE/RELEASE

2009-12-19 Thread Maxim Dounin
Hello! On Fri, Dec 18, 2009 at 05:32:41PM -0800, Chris H wrote: > Greetings, > A recent (cvs checkout of src/ports on 2009-12-09) install of 8 seems to > indicate > that changes in SSL have made it virtually unusable. I've spent the past 3 > days > attempting to (re)create an SSL enabled virtu

SSL appears to be broken in 8-STABLE/RELEASE

2009-12-19 Thread H. Ingow
First my apologies for breaking the thread. We also had this issue and tried to find an acceptable solution. To make a long story short: Please try to compile your application against the version of openssl available in the ports tree. As you already mentioned (SA-09:15) breaks renegotiation wit

Re: SSL appears to be broken in 8-STABLE/RELEASE

2009-12-19 Thread Matthew Seaman
Chris H wrote: Greetings, A recent (cvs checkout of src/ports on 2009-12-09) install of 8 seems to indicate that changes in SSL have made it virtually unusable. I've spent the past 3 days attempting to (re)create an SSL enabled virtual host that serves web based access to local mail. Since it'

Re: SSL appears to be broken in 8-STABLE/RELEASE

2009-12-19 Thread Clifton Royston
On Fri, Dec 18, 2009 at 05:32:41PM -0800, Chris H wrote: > Greetings, > A recent (cvs checkout of src/ports on 2009-12-09) install of 8 > seems to indicate that changes in SSL have made it virtually > unusable. I've spent the past 3 days attempting to (re)create an SSL > enabled virtual host that

Re: SSL appears to be broken in 8-STABLE/RELEASE

2009-12-18 Thread Chris H
Hello Peter, and thank you for the reply. > On 2009-12-18 05:32:41PM -0800, Chris H wrote: > >> Greetings, >> A recent (cvs checkout of src/ports on 2009-12-09) install of 8 seems to >> indicate that changes in SSL have made it virtually unusable. I've spent the >> past 3 days attempting to (re)cre

Re: SSL appears to be broken in 8-STABLE/RELEASE

2009-12-18 Thread Peter C. Lai
This might have something to do with a libthr discussion I was CCed on. Someone mentioned something about removing a link to libthr in openssl but I can't remember if this was in the port or base openssl... On 2009-12-18 05:32:41PM -0800, Chris H wrote: > Greetings, > A recent (cvs checkout of sr

SSL appears to be broken in 8-STABLE/RELEASE

2009-12-18 Thread Chris H
Greetings, A recent (cvs checkout of src/ports on 2009-12-09) install of 8 seems to indicate that changes in SSL have made it virtually unusable. I've spent the past 3 days attempting to (re)create an SSL enabled virtual host that serves web based access to local mail. Since it's local, I'm usin