DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=31505>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=31505
SSLCipherSuite can be bypassed during renegotiation
------- Additional Comments From jorton@redhat.com 2004-10-08 11:51 -------
OK, this patch is not of course sufficient to fix the security issue since it
only enforces the correct behaviour with OpenSSL 0.9.7. To actually prevent
access with both 0.9.7 and 0.9.6, it's necessary to enhance SSL_hook_Access to
really check that the correct cipher suite has been negotiated.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
|