[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSL problems in woody (slapper)



On Friday, 2002-09-20 at 09:18:44 +0200, Bjarne Østby wrote:

>   /home/bjarne# ./ssl-test xxx.xxx.xxx.31
>   xxx.xxx.xxx.31 443 PATCHED: detects small overflow, but crashes (0.9.6e)

> I checked the apache prosess on the server after I ran the test.  It had not crashed.
> Is it only the child prosess that terminates?  

It is the connection that crashes, i.e. is not properly shut down with
the SSL protocol. 0.9.6g does that.

> According to the the makers of openssl-sslv2-master the version returned
> is guessed from how the server responds to the probe.  Does this mean
> that 0.9.6c-2.woody.1 -> 0.9.6e?  

0.9.6c-2.woody.1 behaves like 0.9.6e in this by terminating the
connection hard instead of sending an error message.

> On a side note.
> I wonder about curl-ssl and libssl09.  Are they made redundant by libssl0.9.6?

For libssl09, I found no packages in sarge that depend on it.

And curl-ssl's Description in sarge says:
Description: Pseudopackage for migration from Debian 2.2 (potato).

I checked woody, same situation.

So unless you are running potato, you can remove both packages.

HTH,
Lupe Christoph
-- 
| lupe@lupe-christoph.de       |           http://www.lupe-christoph.de/ |
| Big Misunderstandings #6398: The Titanic was not supposed to be        |
| unsinkable. The designer had a speech impediment. He said: "I have     |
| thith great unthinkable conthept ..."                                  |



Reply to: