tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mladen Turk <mt...@apache.org>
Subject Re: APR Connector renegotiation fix
Date Thu, 12 Nov 2009 20:31:11 GMT
On 12/11/09 21:17, Rainer Jung wrote:
> On 12.11.2009 17:39, Mladen Turk wrote:
>> Well even OpenSSL folks admitted that 0.9.8l wrongly approached
>> dealing to that issue. They even removed the
>> SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION flag from the 0.9.8 branch
>> and now they use SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION using
>> different tricks.
>>
>> So IMHO 0.9.8l is simply dead end and shouldn't be used.
>
> +1, recent discussion on openssl list points pretty well in this
> direction. 0.9.8 head has the block on renegotiation problem fixed.
>

Agreed, however we cannot just depend 0.9.8something will
fix the issue. Majority OS vendors simply won't implement
this feature, and think we should just use the proposed patch.
Same will probably be the case with JVM.


Regards
-- 
^TM


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message