Re: CVE-2009-3555 not addressed in OpenSSL

[Michael Gilbert <michael.s.gilbert@gmail.com>]

On Wed, Sep 29, 2010 at 4:57 PM, Jordon Bedwell wrote:
> There is a bug against openssl and mod_ssl for apache already they simply
> just block renegotiation (unless they did a better patch later that I don't
> recall seeing) and one was challenged (if I remember right openssl) because
> it was missing something. Personally I had assumed Debian of all people
> would be on  the ball with this so I never double backed to check and see if
> they patched it properly but I remember everything just being block block
> block and not fix fix fix for real.

I'm not really sure what the remaining problems are (just gnutls
lacking support for RFC 5746?).  Whoever knows of what those problems
are, please file bugs.

Thanks,
Mike