tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: APR Connector renegotiation fix
Date Thu, 12 Nov 2009 21:10:43 GMT
On 12.11.2009 21:31, Mladen Turk wrote:
> On 12/11/09 21:17, Rainer Jung wrote:
>> On 12.11.2009 17:39, Mladen Turk wrote:
>>> Well even OpenSSL folks admitted that 0.9.8l wrongly approached
>>> dealing to that issue. They even removed the
>>> SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION flag from the 0.9.8 branch
>>> and now they use SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION using
>>> different tricks.
>>>
>>> So IMHO 0.9.8l is simply dead end and shouldn't be used.
>>
>> +1, recent discussion on openssl list points pretty well in this
>> direction. 0.9.8 head has the block on renegotiation problem fixed.
>>
> 
> Agreed, however we cannot just depend 0.9.8something will
> fix the issue. Majority OS vendors simply won't implement
> this feature, and think we should just use the proposed patch.
> Same will probably be the case with JVM.

I didn't want to argue against the patch. That's a good thing! I'm going
to test over the WE. Just wanted to shed a little additional light on
the recent OpenSSL development.

Great that you ported the fix.

Regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message