On 12/11/09 21:17, Rainer Jung wrote:
On 12.11.2009 17:39, Mladen Turk wrote:
Well even OpenSSL folks admitted that 0.9.8l wrongly approached
dealing to that issue. They even removed the
SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION flag from the 0.9.8 branch
and now they use SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION using
different tricks.
So IMHO 0.9.8l is simply dead end and shouldn't be used.
+1, recent discussion on openssl list points pretty well in this
direction. 0.9.8 head has the block on renegotiation problem fixed.
Agreed, however we cannot just depend 0.9.8something will
fix the issue. Majority OS vendors simply won't implement
this feature, and think we should just use the proposed patch.
Same will probably be the case with JVM.
Regards
--
^TM
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
