httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From BFinkel...@aaamissouri.com
Subject [users@httpd] CVE-2011-338
Date Tue, 15 May 2012 19:04:50 GMT
I am trying to verify if the openssl env I am working in 0.9.8u is 
affected or not.  I don't beleive it is because it seems this is NOT a 
default option that is enabled.

Line from the CVE-2011-338
OpenSSL uses empty fragments as a countermeasure unless the 
'SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS' option is specified when OpenSSL is 
initialized.

My question is where do you add these 'SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS' 
 initialization options?

Brad
Mime
View raw message