On Thu, Jan 21, 2010 at 12:59:36AM +0100, OpenSSL wrote:
>
> The OpenSSL project team is pleased to announce the release of
> version 0.9.8m-beta1 of our open source toolkit for SSL/TLS. This new
> OpenSSL version is a security and bug fix beta release which implements
> draft-ietf-tls-renegotiation-03.txt to address CVE-2009-3555. For a
> complete list of changes, please see
> http://www.openssl.org/source/exp/CHANGES.
| *) Implement draft-ietf-tls-renegotiation-03. Re-enable
| renegotiation but require the extension as needed. Unfortunately,
| SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION turns out to be a
| bad idea. It has been replaced by
| SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with
| SSL_CTX_set_options(). This is really not recommended unless you
| know what you are doing.
| [Eric Rescorla <e...@networkresonance.com>, Ben Laurie, Steve Henson]
The change described above is a major API/ABI change. Now applications
must handle three different cases:
1) No built-in support for preventing unsafe renegotiation; do
it yourself with callbacks.
2) Built-in support controlled by
SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, no
#define at all for SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
3) Built-in support controlled by
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, no
#define for SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
I guess once again everyone gets to bump their major version numbers for
the OpenSSL shared libraries for a point release (this'll be the second
bump in three months for anyone who picked up 0.9.8l) and gets to write
application code full of nasty #if hacks which check the OpenSSL version
string.
Yuck!
Thor
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
