Author christian.heimes
Recipients christian.heimes, chuq
Date 2017-12-09.12:20:45
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1512822046.54.0.213398074469.issue32257@psf.upfronthosting.co.za>
In-reply-to
Content
I don't think your PR is required. The issue has been addressed in OpenSSL 0.9.8m over 7 years ago, https://access.redhat.com/security/cve/cve-2009-3555.


From https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html

> OpenSSL always attempts to use secure renegotiation as described in RFC5746. This counters the prefix attack described in CVE-2009-3555 and elsewhere.


OpenSSL changelog

Changes between 0.9.8l and 0.9.8m [25 Feb 2010]


  *) Implement RFC5746. Re-enable renegotiation but require the extension
     as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
     turns out to be a bad idea. It has been replaced by
     SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with
     SSL_CTX_set_options(). This is really not recommended unless you
     know what you are doing.
     [Eric Rescorla <ekr@networkresonance.com>, Ben Laurie, Steve Henson]
History
Date User Action Args
2017-12-09 12:20:46christian.heimessetrecipients: + christian.heimes, chuq
2017-12-09 12:20:46christian.heimessetmessageid: <1512822046.54.0.213398074469.issue32257@psf.upfronthosting.co.za>
2017-12-09 12:20:46christian.heimeslinkissue32257 messages
2017-12-09 12:20:45christian.heimescreate