[Pkg-openssl-devel] Bug#555829: Bug#555829: Bug#555829: openssl: CVE-2009-3555: SSL/TLS renegotiation MITM vulnerability
Stefan Fritsch
sf at sfritsch.de
Fri Nov 13 14:38:34 UTC 2009
On Thursday 12 November 2009, Kurt Roeckx wrote:
> On Wed, Nov 11, 2009 at 11:16:19PM +0100, Enrique D. Bosch wrote:
> > In particular, practical attacks exists against HTTPS and could
> > affect other protocols that use SSL/TLS.
>
> It's my understanding that there is a patch for mod_ssl that
> should prevent it and which does not require changes to openssl.
> But it probably has just the same problems as the 0.9.8l version.
The mod_ssl patch only rejects renegotiations requested by the client.
This means with the patch, configurations that don't cause apache to
request a reneg should be safe.
More information about the Pkg-openssl-devel
mailing list