Hi, Ours is an LDAP directory enabled application where we use SSL/TLS to protect binds to the directory. Right now we are using OpenSSL 0.9.8g to do this. Our application depends on external directory servers for authentication which are not maintained by us. So it is only the client side of SSL/TLS that we are concerned with.
My question here is, with the above setup, are we also affected by the renegotiation attack (CVE-2009-3555)? Should we also upgrade to OpenSSL 0.9.8l? If I understand the attack correctly, it only affects servers that support renegotiation since the client is not aware that the server actually requests a renegotiation. Or are there any other scenarios where my client could also be affected? Thanks, Sandeep
