-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sep 22, 2011, at 6:56 AM, Johan van Selst wrote: > Mounir IDRASSI wrote: >> So, an OpenSSL based web server is immune from this attack, unless it >> uses the flag SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS. > > Which is exactly what Apache and some other popular applications seem to > be doing. Maybe this flag should not be included in SSL_OP_ALL after all. Do you have a patch for Apache? Any of the "some broken SSL/TLS implementations" still in widespread use? S. - -- san...@temme.net http://www.temme.net/sander/ PGP FP: FC5A 6FC6 2E25 2DFD 8007 EE23 9BB8 63B0 F51B B88A View my availability: http://tungle.me/sctemme -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJOfCz2AAoJEJu4Y7D1G7iKC+YP/2QWq4Ps+UAXhW2TKecru0RF kNbgncurJbzax+D5p9vySob9LkADcRy1+b3dyg3Huto7e1KDIJ9HEx6z2JT/1LdN um1xDIcR05bEt/EOWMIalq36tQ6ZYbf5dPb5tU2p6XbK7ynmcs0eGQfH0MHCjLI4 lGp3lOO+JUNnl47/at87Kcqh94CZEFiQkJ/HYevtQi0rf4fsNOurkT6FRHh3n7oN znDauwqoDFtmv/sxFxB0xJALeB6qn5DYCPL5zanNtq44U4eTIrUXrmpTfw6lRh7T 64ZAAg+nWjBE2jxCyHgDH9cZWzFW0x7/Thm1357q+vbZHGcybV7cjO//fErXG43T WzqcAwfpTY4FAfwN99Sfo0P7iu/Gz8oV2mpqp9CZOdoLBjxO1tUiDoc0pxODlmTc vuEchWAvWiEAcwjdDLxwg6Rdc+QP/nyjQtDdiwZSPWpU2qzQOcXRE2QcYuhpo0AU pnw9Tyv61tl1JVHIpFZJb+MgYG8FtWQ1hsR0OQXBcmtGkXwUwfz4pY2JdDNXgfHy lsUeyyUS2gSm83hf+CimbCAdiHUYSAHEfsYtdUhvGJmRDmu5wPxVRjNXyFnUeFyN 6OXPuLgsmD8zNQUo63pz46VDKTlokkAl7IOSt9Gcl8YxNBAxztuwSYwgPAWc67Bu YrUwdUBov0Ouf7G6soCB =HT+z -----END PGP SIGNATURE----- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
