Mounir IDRASSI wrote: > So, an OpenSSL based web server is immune from this attack, unless it > uses the flag SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS.
Which is exactly what Apache and some other popular applications seem to be doing. Maybe this flag should not be included in SSL_OP_ALL after all. Regards, Johan
pgptyQNq2Fskk.pgp
Description: PGP signature
