openssl rfc5746 / renegotiation support

To: debian-release@lists.debian.org, team@security.debian.org
Cc: Peter Palfrader <peter@palfrader.org>
Subject: openssl rfc5746 / renegotiation support
From: Kurt Roeckx <kurt@roeckx.be>
Date: Tue, 16 Nov 2010 21:48:07 +0100
Message-id: <[🔎] 20101116204806.GA14739@roeckx.be>

Hi,

I would like to add rfc5746 support to openssl in stable, so that
CVE-2009-3555 can be fixed.  But adding that support means that
the old renegotiation doesn't work anymore unless you set an
option.  This has the potentional to break both client and server
applications making use of openssl.  See the SSL_CTX_set_options
manpage for the behaviour and the options you can set.

There are atleast 2 packages that have an issue with this that I'm
currently aware of:
- apache2: It would need an option an admin can turn on to allow
  insecure renegotiation.
- tor: It should always disable the new renegotiation.  Running it
  as a server doesn't work.  Newer versions than in stable, like
  the version in volatile, do work properly with any version of
  openssl.  The maintainer and upstream favour dropping the
  version currently in stable.

Other packages still need to be checked.

I think at this point we're not going to be able to check the
various packages that might be affected by this before the next
point release.  So I wonder when the next point release is
going to happen, or that we should try and update this via the
security archive.


Kurt

Reply to:

Follow-Ups:
- Re: [stable] openssl rfc5746 / renegotiation support
  - From: Peter Palfrader <weasel@debian.org>

Prev by Date: Re: Request for unblock for wide-dhcpv6 t-p-u upload
Next by Date: RFE: Request for freeze exception - 6tunnel Bug#601030 (IPv4 fix)
Previous by thread: Re: Bug #596351 and a proposal for libjson-ruby
Next by thread: Re: [stable] openssl rfc5746 / renegotiation support
Index(es):
- Date
- Thread