From owner-freebsd-security@FreeBSD.ORG  Thu Dec 10 11:42:54 2009
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8B97A106566B
	for <freebsd-security@freebsd.org>;
	Thu, 10 Dec 2009 11:42:54 +0000 (UTC) (envelope-from bc@default.rs)
Received: from smtp1.default.rs (anarki.default.rs [87.237.201.134])
	by mx1.freebsd.org (Postfix) with ESMTP id CD9808FC12
	for <freebsd-security@freebsd.org>;
	Thu, 10 Dec 2009 11:42:53 +0000 (UTC)
Received: (qmail 20373 invoked by uid 89); 10 Dec 2009 11:16:10 -0000
Received: from bc.sezamhosting.com (HELO ?77.105.36.251?)
	(bc@default.rs@77.105.36.251)
	by smtp1.default.rs with AES256-SHA encrypted SMTP;
	10 Dec 2009 11:16:10 -0000
Message-ID: <4B20D86B.7080800@default.rs>
Date: Thu, 10 Dec 2009 12:15:55 +0100
From: =?UTF-8?B?Qm9nZGFuIMSGdWxpYnJr?= <bc@default.rs>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: freebsd-security@freebsd.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Cc: wollman@bimajority.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:15.ssl
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2009 11:42:54 -0000

> Actually, pretty much anyone who uses client certificates in an
> enterprise environment is likely to have a problem with this, which is
> why the IETF TLS working group is working on publishing a protocol
> fix.  It looks like that RFC should be published, at Proposed
> Standard, in a few weeks, and most vendors look prepared to release
> implementations of the fix immediately thereafter (as soon as the
> relevant constants are assigned by IANA).
>
> -GAWollman

This advisory kinda made big problem here in local (things stopped
working). I had to do rollback this update because of "session
renegotiation" breakage.

Is there some workaround to make things work along with this advisory?
Maybe switch to ports/security/openssl ?

Can anyone comment on this one?
Thanks in advance.

=bc