your mail

andrew at torproject.org andrew at torproject.org
Sun Jan 31 01:32:27 UTC 2010


On Sat, Jan 30, 2010 at 04:07:59PM -0700, rdump at river.com wrote 2.6K bytes in 72 lines about:
: If you have Vidalia.app containing tor 0.2.1.22, and you've also
: installed Apple's "Mac OS X Security Update 2010-001", you'll have
: noticed that Apple made some errors in their TLS renegotiation.

Thanks for the detail writeup.  Perhaps you want to view
https://bugs.torproject.org/flyspray/index.php?do=details&id=1225 and
the comments.

Or perhaps http://archives.seul.org/or/talk/Jan-2010/msg00253.html for
the current state of packages and fixes.

: Apple removed TLS renegotiation even for apps that both need TLS
: renegotiation and do it safely.  Apple did this in spite of the upstream
: OpenSSL project having fixed the renegotiation vulnerability more
: sanely.  Apple is apparently using a partial back-port of the fix.

Technically, they just disabled it.  You can enable tls renegotiation by
setting CPPFLAGS='-DSSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION=0x0010'
in front of configure.

-- 
Andrew Lewman
The Tor Project
pgp 0x31B0974B

Website: https://torproject.org/
Blog: https://blog.torproject.org/
Identi.ca: torproject
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/



More information about the tor-talk mailing list