[Pkg-openssl-devel] Bug#555829: Bug#555829: openssl: CVE-2009-3555: SSL/TLS renegotiation MITM vulnerability
Enrique D. Bosch
presidev at googlemail.com
Thu Nov 12 09:40:22 UTC 2009
On Thu, 12 Nov 2009, Kurt Roeckx wrote:
> The changes says:
> *) Disable renegotiation completely - this fixes a severe security
> problem (CVE-2009-3555) at the cost of breaking all
> renegotiation. Renegotiation can be re-enabled by setting
> SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
> run-time. This is really not recommended unless you know what
> you're doing.
>
> So this would mean that it will break some setups.
You're right, but the solution could be ask the user, during postinstall
package configuration, to set SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
(and set it by default) explaining briefly the vulnerability. This
wouldn't break anything existing but give the posibility to protect
against vulnerability.
P.D.: the changelog link of openssl
(http://packages.debian.org/changelogs/pool/main/o/openssl/openssl_0.9.8g-15+lenny5/changelog)
is not working at the moment.
Regards
Enrique
More information about the Pkg-openssl-devel
mailing list