What are openSuSE’s plans as to the release of an rpm with openssl-0.8.9m which has the solution to the renegotiation man-in-the-middle attack, not just turning key renegotiation down?
As a companion to this version of openssl Apache HTTP 2.2.15 would be very desirable, as it incorporates a patch that allows - at the site’s discretion - to refuse or accept the insecure “old-style” key renegotiation.
apache 2.2.15 is already available in the Factory, but needs to be compiled against openssl 0.8.9m or higher in order to provide the RFC 5746 (real solution to TLS renegotiation vulnerability) related features.
So the lack of openssl 0.9.8m+ becomes more and more critical!!!
You should check the changelog of recent updated RPMs. Many distros, openSUSE included, backport the patch without incrementing the version number so as not to break dependencies. The fix may already be incorporated.
That’s what I’ve done before starting the thread: The only “remedy” the latest openSuSE RPMs are providing is to disable any TLS renegotiation which i.a. breaks any attempt to do an authentication with X.509 certificates over an established HTTPS connection.