From owner-freebsd-security@FreeBSD.ORG Thu Dec 10 15:07:55 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 02E1D1065694 for ; Thu, 10 Dec 2009 15:07:55 +0000 (UTC) (envelope-from bgreene@senki.org) Received: from squid19.laughingsquid.net (squid19.laughingsquid.net [72.32.209.135]) by mx1.freebsd.org (Postfix) with ESMTP id B848B8FC2C for ; Thu, 10 Dec 2009 15:07:54 +0000 (UTC) Received: (qmail 7546 invoked from network); 10 Dec 2009 06:41:13 -0800 Received: from natint3.juniper.net (HELO bgreeneT61) (66.129.224.36) by squid19.laughingsquid.net with SMTP; 10 Dec 2009 06:41:13 -0800 From: "Barry Raveendran Greene" To: =?UTF-8?Q?'Bogdan_=C4=86ulibrk'?= , References: <4B20D86B.7080800@default.rs> In-Reply-To: <4B20D86B.7080800@default.rs> Date: Thu, 10 Dec 2009 06:41:00 -0800 Message-ID: <000301ca79a6$d24cc8e0$76e65aa0$@org> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Acp5jf1FQuOsnm9IRZuNv1DAaIlQ4wAGHGmQ Content-Language: en-us x-cr-hashedpuzzle: BIGc HsIC KSzE Lkpg L6P7 MqWU PEGq P9ak QfuT RtBQ S8D9 TiBg VraA d9uw eKm5 fagn; 3; YgBjAEAAZABlAGYAYQB1AGwAdAAuAHIAcwA7AGYAcgBlAGUAYgBzAGQALQBzAGUAYwB1AHIAaQB0AHkAQABmAHIAZQBlAGIAcwBkAC4AbwByAGcAOwB3AG8AbABsAG0AYQBuAEAAYgBpAG0AYQBqAG8AcgBpAHQAeQAuAG8AcgBnAA==; Sosha1_v1; 7; {8EA564D4-0F3F-4647-BC7E-D007477D1790}; YgBnAHIAZQBlAG4AZQBAAHMAZQBuAGsAaQAuAG8AcgBnAA==; Thu, 10 Dec 2009 14:40:51 GMT; UgBFADoAIABGAHIAZQBlAEIAUwBEACAAUwBlAGMAdQByAGkAdAB5ACAAQQBkAHYAaQBzAG8AcgB5ACAARgByAGUAZQBCAFMARAAtAFMAQQAtADAAOQA6ADEANQAuAHMAcwBsAA== x-cr-puzzleid: {8EA564D4-0F3F-4647-BC7E-D007477D1790} Cc: wollman@bimajority.org Subject: RE: FreeBSD Security Advisory FreeBSD-SA-09:15.ssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Dec 2009 15:07:55 -0000 > > Actually, pretty much anyone who uses client certificates in an > > enterprise environment is likely to have a problem with this, which > is > > why the IETF TLS working group is working on publishing a protocol > > fix. It looks like that RFC should be published, at Proposed > > Standard, in a few weeks, and most vendors look prepared to release > > implementations of the fix immediately thereafter (as soon as the > > relevant constants are assigned by IANA). > > > > -GAWollman >=20 > This advisory kinda made big problem here in local (things stopped > working). I had to do rollback this update because of "session > renegotiation" breakage. >=20 > Is there some workaround to make things work along with this advisory? > Maybe switch to ports/security/openssl ? >=20 > Can anyone comment on this one? > Thanks in advance. You will have to wait on the TLS Working Group in the IETF to finish if = your application needs renegotiation. The "HOT PAGE" on this topic for = the industry is here: http://www.icasi.org/tls-ssl.html