httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <shen...@oss-institute.org>
Subject Re: TLS renegotiation attack, mod_ssl and OpenSSL
Date Fri, 06 Nov 2009 19:00:02 GMT
Dirk-Willem van Gulik wrote:
> 
> So I guess the one thing we need now is to double check with the OpenSSL
> folks if the basic concept of this patch covers all basis. I.e. really
> sees every possible renegotiate - regardless of what or from where
> initiated. I am a bit worried that OpenSSL may have to clean an
> abstraction layer perhaps.
> 

I can only comment about *this* OpenSSL folk ;-)

I only found out about this issue yesterday and I'm on vacation until early next
week so I've only been following this in outline.

The normal session resumption can be performed using s_client and the -sess_out
and -sess_in options so check that works normally if you haven't already. That
should be checked with -no_ticket too to check stateful resumption (stateless is
default for newer versions of OpenSSL).

Steve.
-- 
Dr Stephen N. Henson. Senior Technical/Cryptography Advisor,
Open Source Software Institute: www.oss-institute.org
OpenSSL Core team: www.openssl.org

Mime
View raw message