On Thursday 12 November 2009, Kurt Roeckx wrote: > On Wed, Nov 11, 2009 at 11:16:19PM +0100, Enrique D. Bosch wrote: > > In particular, practical attacks exists against HTTPS and could > > affect other protocols that use SSL/TLS. > > It's my understanding that there is a patch for mod_ssl that > should prevent it and which does not require changes to openssl. > But it probably has just the same problems as the 0.9.8l version.
The mod_ssl patch only rejects renegotiations requested by the client. This means with the patch, configurations that don't cause apache to request a reneg should be safe. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org