Hi,
Just made the fix by modifying the mod_ssl patch
so that connection gets closed on R.
Problem with OpenSSL 0.9.8l that it has renegotiation
disabled and that it gets blocked in 'R' thus making
it a potential DoS (much worse then actual R) so
I'd suggest we don't use it and create immediate
On 12/11/09 12:34, Mladen Turk wrote:
I'd suggest we don't use it and create immediate release
of 1.1.18 with the fix.
BTW, released 1.1.17 reports as 1.1.17-dev ;)
RM forgot to update the version before tagging
So yet another reason for 1.1.18
Regards
--
^TM
On 12/11/09 17:25, Filip Hanik - Dev Lists wrote:
Note. Don't use 0.9.8l for testing cause that bugger will
block on renegotiation until socket timeout.
This is actually not so bad. Since it's so easy to achieve the same DoS
by simply sending a partial POST body, or partial GET request, and
On 11/12/2009 04:34 AM, Mladen Turk wrote:
Hi,
Just made the fix by modifying the mod_ssl patch
so that connection gets closed on R.
Problem with OpenSSL 0.9.8l that it has renegotiation
disabled and that it gets blocked in 'R' thus making
it a potential DoS (much worse then actual R) so
I'd
On 12.11.2009 17:39, Mladen Turk wrote:
Well even OpenSSL folks admitted that 0.9.8l wrongly approached
dealing to that issue. They even removed the
SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION flag from the 0.9.8 branch
and now they use SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION using
On 12/11/09 21:17, Rainer Jung wrote:
On 12.11.2009 17:39, Mladen Turk wrote:
Well even OpenSSL folks admitted that 0.9.8l wrongly approached
dealing to that issue. They even removed the
SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION flag from the 0.9.8 branch
and now they use
On 12.11.2009 21:31, Mladen Turk wrote:
On 12/11/09 21:17, Rainer Jung wrote:
On 12.11.2009 17:39, Mladen Turk wrote:
Well even OpenSSL folks admitted that 0.9.8l wrongly approached
dealing to that issue. They even removed the
SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION flag from the 0.9.8
