[Pkg-openssl-devel] Bug#555829: Bug#555829: Bug#555829: openssl: CVE-2009-3555: SSL/TLS renegotiation MITM vulnerability

Stefan Fritsch sf at sfritsch.de
Fri Nov 13 14:38:34 UTC 2009

On Thursday 12 November 2009, Kurt Roeckx wrote:
> On Wed, Nov 11, 2009 at 11:16:19PM +0100, Enrique D. Bosch wrote:
> > In particular, practical attacks exists against HTTPS and could
> > affect other protocols that use SSL/TLS.
> It's my understanding that there is a patch for mod_ssl that
> should prevent it and which does not require changes to openssl.
> But it probably has just the same problems as the 0.9.8l version.

The mod_ssl patch only rejects renegotiations requested by the client. 
This means with the patch, configurations that don't cause apache to 
request a reneg should be safe. 

More information about the Pkg-openssl-devel mailing list