On 12.11.2009 21:31, Mladen Turk wrote: > On 12/11/09 21:17, Rainer Jung wrote: >> On 12.11.2009 17:39, Mladen Turk wrote: >>> Well even OpenSSL folks admitted that 0.9.8l wrongly approached >>> dealing to that issue. They even removed the >>> SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION flag from the 0.9.8 branch >>> and now they use SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION using >>> different tricks. >>> >>> So IMHO 0.9.8l is simply dead end and shouldn't be used. >> >> +1, recent discussion on openssl list points pretty well in this >> direction. 0.9.8 head has the block on renegotiation problem fixed. >> > > Agreed, however we cannot just depend 0.9.8something will > fix the issue. Majority OS vendors simply won't implement > this feature, and think we should just use the proposed patch. > Same will probably be the case with JVM.
I didn't want to argue against the patch. That's a good thing! I'm going to test over the WE. Just wanted to shed a little additional light on the recent OpenSSL development. Great that you ported the fix. Regards, Rainer --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
