From owner-freebsd-stable@FreeBSD.ORG  Sat Dec 19 12:29:16 2009
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id F2FAE1065694
	for <freebsd-stable@freebsd.org>; Sat, 19 Dec 2009 12:29:16 +0000 (UTC)
	(envelope-from mdounin@mdounin.ru)
Received: from mdounin.cust.ramtel.ru (mdounin.cust.ramtel.ru [81.19.69.81])
	by mx1.freebsd.org (Postfix) with ESMTP id B0D438FC0C
	for <freebsd-stable@freebsd.org>; Sat, 19 Dec 2009 12:29:16 +0000 (UTC)
Received: from mdounin.ru (mdounin.cust.ramtel.ru [81.19.69.81])
	by mdounin.cust.ramtel.ru (Postfix) with ESMTP id 9453E1702A;
	Sat, 19 Dec 2009 15:29:14 +0300 (MSK)
Date: Sat, 19 Dec 2009 15:29:14 +0300
From: Maxim Dounin <mdounin@mdounin.ru>
To: Chris H <chris#@1command.com>
Message-ID: <20091219122914.GJ43547@mdounin.ru>
References: <f7206c210912190058u36222a04ge474279af10c9990@mail.gmail.com>
	<20091219111339.GH43547@mdounin.ru>
	<0edc3b334fc301f51193354f7a0da61b.HRCIM@webmail.1command.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <0edc3b334fc301f51193354f7a0da61b.HRCIM@webmail.1command.com>
User-Agent: Mutt/1.5.20 (2009-06-14)
Cc: freebsd-stable@freebsd.org
Subject: Re: SSL appears to be broken in 8-STABLE/RELEASE
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Dec 2009 12:29:17 -0000

Hello!

On Sat, Dec 19, 2009 at 03:23:57AM -0800, Chris H wrote:

> On Sat, December 19, 2009 3:13 am, Maxim Dounin wrote:
> > Hello!
> >
> >
> > On Sat, Dec 19, 2009 at 09:58:49AM +0100, H. Ingow wrote:
> >
> >
> > [...]
> >
> >
> >> Please try to compile your application against the version of openssl
> >> available in the ports tree.
> >>
> >> As you already mentioned (SA-09:15) breaks renegotiation with base system's
> >> openssl by fixing a security issue ( it actually does).
> >>
> >> Prerequisite for the following is, of course, to install
> >> /usr/ports/security/openssl which will give you
> >> openssl 0.9.8l . (You do not necessarily have to remove the base openssl)
> >
> > OpenSSL 0.9.8l has renegotiation disabled too, this won't help.
> >
> >
> > The only difference is that 0.9.8l has some means to re-enable
> > legacy renegotiation which may be utilized by applications which are aware of the
> > problem.
> Which is exactly what's required to implement your previous suggestion. :)

No, my previous suggestion is unrelated.

Additionally, to re-enable renegotiation in openssl 0.9.8l you 
need an application which is able to set 
SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s->s3->flags.  I 
haven't seen any yet, and google codesearch is able 
to find only one such app (proftpd).

Maxim Dounin