From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 22:53:00 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6937F106566B for ; Thu, 3 Dec 2009 22:53:00 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (hergotha.csail.mit.edu [66.92.79.170]) by mx1.freebsd.org (Postfix) with ESMTP id 1741A8FC08 for ; Thu, 3 Dec 2009 22:52:59 +0000 (UTC) Received: from hergotha.csail.mit.edu (localhost [127.0.0.1]) by hergotha.csail.mit.edu (8.14.3/8.14.3) with ESMTP id nB3MqwWt026231 for ; Thu, 3 Dec 2009 17:52:58 -0500 (EST) (envelope-from wollman@hergotha.csail.mit.edu) Received: (from wollman@localhost) by hergotha.csail.mit.edu (8.14.3/8.14.3/Submit) id nB3Mqw8R026228; Thu, 3 Dec 2009 17:52:58 -0500 (EST) (envelope-from wollman) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <19224.16714.510240.508679@hergotha.csail.mit.edu> Date: Thu, 3 Dec 2009 17:52:58 -0500 From: Garrett Wollman To: freebsd-security@freebsd.org In-Reply-To: <200912030930.nB39UdMK037494@freefall.freebsd.org> References: <200912030930.nB39UdMK037494@freefall.freebsd.org> X-Mailer: VM 7.17 under 21.4 (patch 21) "Educational Television" XEmacs Lucid X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (hergotha.csail.mit.edu [127.0.0.1]); Thu, 03 Dec 2009 17:52:58 -0500 (EST) X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED autolearn=disabled version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on hergotha.csail.mit.edu X-Mailman-Approved-At: Thu, 03 Dec 2009 23:04:26 +0000 Subject: FreeBSD Security Advisory FreeBSD-SA-09:15.ssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 22:53:00 -0000 < said: > NOTE WELL: This update causes OpenSSL to reject any attempt to renegotiate > SSL / TLS session parameters. As a result, connections in which the other > party attempts to renegotiate session parameters will break. In practice, > however, session renegotiation is a rarely-used feature, so disabling this > functionality is unlikely to cause problems for most systems. Actually, pretty much anyone who uses client certificates in an enterprise environment is likely to have a problem with this, which is why the IETF TLS working group is working on publishing a protocol fix. It looks like that RFC should be published, at Proposed Standard, in a few weeks, and most vendors look prepared to release implementations of the fix immediately thereafter (as soon as the relevant constants are assigned by IANA). -GAWollman