[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

openssl rfc5746 / renegotiation support


I would like to add rfc5746 support to openssl in stable, so that
CVE-2009-3555 can be fixed.  But adding that support means that
the old renegotiation doesn't work anymore unless you set an
option.  This has the potentional to break both client and server
applications making use of openssl.  See the SSL_CTX_set_options
manpage for the behaviour and the options you can set.

There are atleast 2 packages that have an issue with this that I'm
currently aware of:
- apache2: It would need an option an admin can turn on to allow
  insecure renegotiation.
- tor: It should always disable the new renegotiation.  Running it
  as a server doesn't work.  Newer versions than in stable, like
  the version in volatile, do work properly with any version of
  openssl.  The maintainer and upstream favour dropping the
  version currently in stable.

Other packages still need to be checked.

I think at this point we're not going to be able to check the
various packages that might be affected by this before the next
point release.  So I wonder when the next point release is
going to happen, or that we should try and update this via the
security archive.


Reply to: