You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Ruediger Pluem <rp...@apache.org> on 2009/11/07 00:37:56 UTC
Re: svn commit: r833582 - in /httpd/httpd/trunk/modules/ssl: ssl_engine_init.c
ssl_engine_io.c ssl_engine_kernel.c ssl_private.h
On 11/06/2009 11:33 PM, jorton@apache.org wrote:
> Author: jorton
> Date: Fri Nov 6 22:33:19 2009
> New Revision: 833582
>
> URL: http://svn.apache.org/viewvc?rev=833582&view=rev
> Log:
> SECURITY: Partial fix for CVE-2009-3555:
>
Looks good. Passes all tests in the framework (should we add one for CVE-2009-3555?)
Backporting to 2.2.x has a little conflict in ssl_engine_io.c which is resolved in the
attached patch which backports r833582 and r833593.
This patch also passes all tests.
Regards
RĂ¼diger
Re: svn commit: r833582 - in /httpd/httpd/trunk/modules/ssl: ssl_engine_init.c
ssl_engine_io.c ssl_engine_kernel.c ssl_private.h
Posted by Dirk-Willem van Gulik <di...@webweaving.org>.
Joe Orton wrote:
> Awesome, thanks a lot!
>
> +1 for backport to 2.2.x here too.
+1 here from me as well.
So the trunk patch is
svn diff -r833581:833594 \
https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl
> I doubt it's possible to test this from perl-framework since it won't
> expose a way to trigger a renegotiation from the client, unfortunately.
perhaps 'echo R | openssl s_client' ... with some clever chat/expect ?
Thanks,
Dw
Re: svn commit: r833582 - in /httpd/httpd/trunk/modules/ssl:
ssl_engine_init.c ssl_engine_io.c ssl_engine_kernel.c ssl_private.h
Posted by Joe Orton <jo...@redhat.com>.
On Sat, Nov 07, 2009 at 12:37:56AM +0100, Ruediger Pluem wrote:
> On 11/06/2009 11:33 PM, jorton@apache.org wrote:
> > Author: jorton
> > Date: Fri Nov 6 22:33:19 2009
> > New Revision: 833582
> >
> > URL: http://svn.apache.org/viewvc?rev=833582&view=rev
> > Log:
> > SECURITY: Partial fix for CVE-2009-3555:
>
> Looks good. Passes all tests in the framework (should we add one for CVE-2009-3555?)
> Backporting to 2.2.x has a little conflict in ssl_engine_io.c which is resolved in the
> attached patch which backports r833582 and r833593.
> This patch also passes all tests.
Awesome, thanks a lot!
+1 for backport to 2.2.x here too.
I doubt it's possible to test this from perl-framework since it won't
expose a way to trigger a renegotiation from the client, unfortunately.
Regards, Joe