Actions
Bug #2492
closedopenssl beast workaround disabled in 1.4.32
ASK QUESTIONS IN Forums:
Description
https://issues.apache.org/bugzilla/show_bug.cgi?id=53899
lighttpd is setting the same SSL_OP_ALL so beast mitigation is not on.
long ssloptions =
SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_NO_COMPRESSION;
I checked trunk and there the option is not set on so hopefully just a matter of backporting.
Updated by stbuehler over 11 years ago
- Priority changed from Urgent to Normal
- Target version set to 1.4.33
svn trunk is "dead". For beast mitigation we recommend using TLS1.1+ or preferring RC4 (after TLS1.1+ ciphers) as cipher, see the 1.4.30 release announcement
As some implementations can't handle the empty fragment workaround I'm not sure I even want to change that. Afaics apache only added an option to reenable the workaround, not making it the default.
Perhaps we'll add an option too, but right now I don't think it will be active by default.
Updated by stbuehler over 11 years ago
- Status changed from New to Fixed
- % Done changed from 0 to 100
Applied in changeset r2891.
Actions
Also available in: Atom