You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Ruediger Pluem <rp...@apache.org> on 2009/11/07 00:37:56 UTC

Re: svn commit: r833582 - in /httpd/httpd/trunk/modules/ssl: ssl_engine_init.c ssl_engine_io.c ssl_engine_kernel.c ssl_private.h

On 11/06/2009 11:33 PM, jorton@apache.org wrote:
> Author: jorton
> Date: Fri Nov  6 22:33:19 2009
> New Revision: 833582
> 
> URL: http://svn.apache.org/viewvc?rev=833582&view=rev
> Log:
> SECURITY: Partial fix for CVE-2009-3555:
> 

Looks good. Passes all tests in the framework (should we add one for CVE-2009-3555?)
Backporting to 2.2.x has a little conflict in ssl_engine_io.c which is resolved in the
attached patch which backports r833582 and r833593.
This patch also passes all tests.

Regards

Rüdiger

Re: svn commit: r833582 - in /httpd/httpd/trunk/modules/ssl: ssl_engine_init.c ssl_engine_io.c ssl_engine_kernel.c ssl_private.h

Posted by Dirk-Willem van Gulik <di...@webweaving.org>.

Joe Orton wrote:
> Awesome, thanks a lot!
>
> +1 for backport to 2.2.x here too.
+1 here from me as well.

So the trunk patch is

	svn diff -r833581:833594 \
	https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl

> I doubt it's possible to test this from perl-framework since it won't
> expose a way to trigger a renegotiation from the client, unfortunately.

perhaps 'echo R | openssl s_client' ... with some clever chat/expect ?

Thanks,

Dw

Re: svn commit: r833582 - in /httpd/httpd/trunk/modules/ssl: ssl_engine_init.c ssl_engine_io.c ssl_engine_kernel.c ssl_private.h

Posted by Joe Orton <jo...@redhat.com>.

On Sat, Nov 07, 2009 at 12:37:56AM +0100, Ruediger Pluem wrote:
> On 11/06/2009 11:33 PM, jorton@apache.org wrote:
> > Author: jorton
> > Date: Fri Nov  6 22:33:19 2009
> > New Revision: 833582
> > 
> > URL: http://svn.apache.org/viewvc?rev=833582&view=rev
> > Log:
> > SECURITY: Partial fix for CVE-2009-3555:
> 
> Looks good. Passes all tests in the framework (should we add one for CVE-2009-3555?)
> Backporting to 2.2.x has a little conflict in ssl_engine_io.c which is resolved in the
> attached patch which backports r833582 and r833593.
> This patch also passes all tests.

Awesome, thanks a lot!  

+1 for backport to 2.2.x here too.

I doubt it's possible to test this from perl-framework since it won't 
expose a way to trigger a renegotiation from the client, unfortunately.

Regards, Joe