httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <>
Subject Re: [vote] release 2.2.15?
Date Wed, 03 Mar 2010 18:02:17 GMT
On 3/3/2010 11:50 AM, Stefan Fritsch wrote:
> On Wednesday 03 March 2010, Mladen Turk wrote:
>> BTW, I wouldn't recommend to compile against 0.9.8m.
>> openssl s_client < 0.9.8m block on renegotiation
> Have you only tried 0.9.8l as client? It has a known bug with 
> renegotiation that makes it hang instead of fail.
> I have no problems with 0.9.8c and 0.9.8g (from Debian 4.0 and 5.0). 
> If SSLInsecureRenegotiation is on, it works. If 
> SSLInsecureRenegotiation is off, I get an "sslv3 alert handshake 
> failure".

And the bug is specific to openssl < 0.9.8m mishandling the alert; it will
neither abort nor resume the prior session, so it is left to timeout.  You
may want to contrast this behavior to legacy IE, Firefox, etc.

Attached is one suggestion of a workaround.

View raw message