Message307893
I don't think your PR is required. The issue has been addressed in OpenSSL 0.9.8m over 7 years ago, https://access.redhat.com/security/cve/cve-2009-3555.
From https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html
> OpenSSL always attempts to use secure renegotiation as described in RFC5746. This counters the prefix attack described in CVE-2009-3555 and elsewhere.
OpenSSL changelog
Changes between 0.9.8l and 0.9.8m [25 Feb 2010]
*) Implement RFC5746. Re-enable renegotiation but require the extension
as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
turns out to be a bad idea. It has been replaced by
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with
SSL_CTX_set_options(). This is really not recommended unless you
know what you are doing.
[Eric Rescorla <ekr@networkresonance.com>, Ben Laurie, Steve Henson] |
|
Date |
User |
Action |
Args |
2017-12-09 12:20:46 | christian.heimes | set | recipients:
+ christian.heimes, chuq |
2017-12-09 12:20:46 | christian.heimes | set | messageid: <1512822046.54.0.213398074469.issue32257@psf.upfronthosting.co.za> |
2017-12-09 12:20:46 | christian.heimes | link | issue32257 messages |
2017-12-09 12:20:45 | christian.heimes | create | |
|