httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: Backport proposal for CVE-2009-3555
Date Thu, 19 Nov 2009 12:08:20 GMT
On 09.11.2009 23:28, Rainer Jung wrote:
> I did a first try on backporting the CVE-2009-3555 patch to 2.0:
> 
> http://people.apache.org/~rjung/patches/cve-2009-3555_httpd_2_0_x.patch
> 
> I hadn't yet time for intensive testing, but first tests looked OK.
> I noticed I couldn't log the SSL_SESSION_ID, but maybe that was a
> Windows thing. Hadn't yet time and access to test on Unix resp. test on
> Windows without patch.

Testing looked good, client initiated reneg is not allowed, server side
reneg worked. The previously observed missing SSL_SESSION_ID in the
access logs was due to the client using TLS session ticket extension in
combination with HTTP-Keepalive.

I'll add it to 2.0.x STATUS soon.

Regards,

Rainer

Mime
View raw message