Op donderdag 14 februari 2013 14:31:32 schreef Arno Töll: > On 12.02.2013 16:08, Thijs Kinkhorst wrote: > > Do you agree on the approach? Barring any objections I'm planning to > > release this as a DSA after the weekend. > > I am by no means an expert with the SSL API, but I believe your patch to > disable SSL compression looks fine (although diverging from upstream's > fix as you noted). Yours looks pretty much like the fix we applied to > Apache. > > Are you sure, the negotiation patch has no side effects with respect to > SSL compression?
I'm pretty sure, and our tests show that the new packages both disabled the renegotiation and compression. > Moreover, I would suggest to announce your change in a NEWS entry for > stable updates. People might rely on the renegotiation feature in multi > vhost SSL setups. Yes, I'll make a NEWS item based on the one in Apache then, and upload to security-master. > Otherwise I'm happy you provided a patch. The renegotiation fix should > also be in Wheezy. Yes, agreed. Cheers, Thijs
signature.asc
Description: This is a digitally signed message part.

