On Fri, Jan 22, 2010 at 04:39:43AM +0100, Dr. Stephen Henson wrote:
> On Thu, Jan 21, 2010, fredk2 wrote:
>
> >
> > do I understand this correctly:
> > 0.9.8m sends a no_renegotiation alert and apache needs a mod_ssl patch that,
> > by default, upon this alert closes the connection?
> >
>
> No
On Thu, Jan 21, 2010, fredk2 wrote:
>
> do I understand this correctly:
> 0.9.8m sends a no_renegotiation alert and apache needs a mod_ssl patch that,
> by default, upon this alert closes the connection?
>
No this isn't Apache's fault. OpenSSL 0.9.8m sends the no_renegotiation alert
it's just t
do I understand this correctly:
0.9.8m sends a no_renegotiation alert and apache needs a mod_ssl patch that,
by default, upon this alert closes the connection?
Thanks - Fred
Dr. Stephen Henson wrote:
>
> On Thu, Jan 21, 2010, fredk2 wrote:
>
>>
>> Yes I forgot to mention that I did test with
On Thu, Jan 21, 2010, fredk2 wrote:
>
> Yes I forgot to mention that I did test with the 0.9.8m s_client and that
> worked.
> The [new] problem 0.9.8m create is that a (old) client can request R and
> exhaust all apache threads.
>
This is a bit of a problem for older clients because the specifi
Yes I forgot to mention that I did test with the 0.9.8m s_client and that
worked.
The [new] problem 0.9.8m create is that a (old) client can request R and
exhaust all apache threads.
Thanks for the reply - Fred
Dr. Stephen Henson wrote:
>
> On Thu, Jan 21, 2010, fredk2 wrote:
>
>>
>> Hi,
>>
On Thu, Jan 21, 2010, fredk2 wrote:
>
> Hi,
>
> I have tried to read some of the old posts, but do not understand if the
> following is an apache or openssl question.
>
> I am using the apache 2.2.14 mod_ssl with the patch:
> http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/CVE-2009-35
