httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 31505] - SSLCipherSuite can be bypassed during renegotiation
Date Fri, 08 Oct 2004 11:51:20 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=31505>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=31505

SSLCipherSuite can be bypassed during renegotiation





------- Additional Comments From jorton@redhat.com  2004-10-08 11:51 -------
OK, this patch is not of course sufficient to fix the security issue since it
only enforces the correct behaviour with OpenSSL 0.9.7.  To actually prevent
access with both 0.9.7 and 0.9.6, it's necessary to enhance SSL_hook_Access to
really check that the correct cipher suite has been negotiated.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message