[Pkg-openssl-devel] Bug#555829: Bug#555829: openssl: CVE-2009-3555: SSL/TLS renegotiation MITM vulnerability

Kurt Roeckx kurt at roeckx.be
Thu Nov 12 17:55:36 UTC 2009


On Thu, Nov 12, 2009 at 10:40:22AM +0100, Enrique D. Bosch wrote:
> On Thu, 12 Nov 2009, Kurt Roeckx wrote:
> 
> >The changes says:
> > *) Disable renegotiation completely - this fixes a severe security
> >    problem (CVE-2009-3555) at the cost of breaking all
> >    renegotiation. Renegotiation can be re-enabled by setting
> >    SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
> >    run-time. This is really not recommended unless you know what
> >    you're doing.
> >
> >So this would mean that it will break some setups.
> 
> You're right, but the solution could be ask the user, during
> postinstall package configuration, to set
> SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION (and set it by default)
> explaining briefly the vulnerability. This wouldn't break anything
> existing but give the posibility to protect against vulnerability.

There is no way to do that with the existing version.  Software
that wants to use that flag need to be modified to use that flag.


Kurt






More information about the Pkg-openssl-devel mailing list