2010/2/22 Tom Lane <tgl@sss.pgh.pa.us>:
> Magnus Hagander <magnus@hagander.net> writes:
>> If so, shouldn't we try to disable renegotiation for all versions
>> *before* it was properly fixed?
>
> If we could tell that, sure. But I don't believe there is any way to
> identify whether a given installation of openssl has this patched.
> Please don't suggest looking at the version number --- Red Hat and
> other vendors are in the habit of back-patching security fixes without
> changing the version number.
That, if anything, is a bug :( But yes, it's a bug lots of linux
distros seem to consider a feature :(
>> Which today means all versions released. The proper fix is in 0.9.8m,
>> which is currently in beta. At least that's my understanding.
>
> Red Hat's already shipping the patch. Dunno about other vendors.
Which patch? The one that breaks it, or the one that changes the protocol?
> The real bottom line here is that this isn't our bug. It's unfortunate
> that we're affected by it, but that doesn't mean that we should be
> installing kluges to work around it.
True. But people will call it our problem.
One way to deal with it would be to expose the whole renegotiation
setting as a user configuratble option. So they can set *when* we
renegotiate, which would also let them turn it off completely. There
are probably people who would like to change it, but there certainly
haven't been enough of them so we've heard lots of complains. And it's
definitely not back-patchable.
We also have to consider our Windows users, where *we* ship the
OpenSSL library. Where there is no library we can ship right now that
fixes it.
-- Magnus HaganderMe: http://www.hagander.net/Work: http://www.redpill-linpro.com/
