From owner-freebsd-stable@FreeBSD.ORG Sat Dec 19 11:24:00 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3F239106566C for ; Sat, 19 Dec 2009 11:24:00 +0000 (UTC) (envelope-from chris#@1command.com) Received: from mail.1command.com (dsl081-172-045.sea1.dsl.speakeasy.net [64.81.172.45]) by mx1.freebsd.org (Postfix) with ESMTP id 0B5658FC18 for ; Sat, 19 Dec 2009 11:23:59 +0000 (UTC) Received: from webmail.1command.com (localhost.1command.com [127.0.0.1]) by mail.1command.com (8.13.3/8.13.3) with ESMTP id nBJBNoWl078270 for ; Sat, 19 Dec 2009 03:23:57 -0800 (PST) (envelope-from chris#@1command.com) Received: from udns.ultimatedns.net ([64.81.172.214]) (Local authenticated user inf0s) by webmail.1command.com with HTTP; Sat, 19 Dec 2009 03:23:57 -0800 (PST) Message-ID: <0edc3b334fc301f51193354f7a0da61b.HRCIM@webmail.1command.com> In-Reply-To: <20091219111339.GH43547@mdounin.ru> References: <20091219111339.GH43547@mdounin.ru> Date: Sat, 19 Dec 2009 03:23:57 -0800 (PST) From: "Chris H" To: freebsd-stable@freebsd.org User-Agent: HRC Internet Messaging/1.5.2 [SVN] MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit Subject: Re: SSL appears to be broken in 8-STABLE/RELEASE X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Dec 2009 11:24:00 -0000 On Sat, December 19, 2009 3:13 am, Maxim Dounin wrote: > Hello! > > > On Sat, Dec 19, 2009 at 09:58:49AM +0100, H. Ingow wrote: > > > [...] > > >> Please try to compile your application against the version of openssl >> available in the ports tree. >> >> As you already mentioned (SA-09:15) breaks renegotiation with base system's >> openssl by fixing a security issue ( it actually does). >> >> Prerequisite for the following is, of course, to install >> /usr/ports/security/openssl which will give you >> openssl 0.9.8l . (You do not necessarily have to remove the base openssl) > > OpenSSL 0.9.8l has renegotiation disabled too, this won't help. > > > The only difference is that 0.9.8l has some means to re-enable > legacy renegotiation which may be utilized by applications which are aware of the > problem. Which is exactly what's required to implement your previous suggestion. :) --Chris H > > Maxim Dounin > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > >