On Fri, Apr 15, 2005 at 02:35:21PM +0900, Noritoshi Demizu wrote: > 2. The TCP MD5 Signature option is used iff an incoming SYN has the > TCP MD5 Signature option. However, RFC2385 says in section 2.0 > as following. > > "Unlike other TCP extensions (e.g., the Window Scale option > [RFC1323]), the absence of the option in the SYN,ACK segment must not > cause the sender to disable its sending of signatures." > > I am sorry if the current behavior is intentional, but should the > condition to turn on SCF_SIGNATURE be (tp->t_flags & TF_SIGNATURE)?
We can't make this change until we fix how security policy is implemented for listening sockets, otherwise we end up in a situation where for example a BGP listener can *only* accept MD5 sessions. Thank you for the other suggested fixes, I will try to review them in more depth when I have free time. BMS _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
