Bug 7547 - SSL renegotiation indication (RFC 5746) support for https://*.samba.org
SSL renegotiation indication (RFC 5746) support for https://*.samba.org
Status: RESOLVED FIXED
Product: Samba Web
Classification: Unclassified
Component: content
current
All All
: P3 minor
: ---
Assigned To: Karolin Seeger
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-03 14:14 UTC by Matt McCutchen
Modified: 2011-03-14 19:51 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matt McCutchen 2010-07-03 14:14:20 UTC
Please support RFC 5746 (http://tools.ietf.org/html/rfc5746) on the samba.org SSL sites.  In the future, this will be required for them to receive the blue SSL badge in Firefox (see https://bugzilla.mozilla.org/show_bug.cgi?id=535649).  It should just be a matter of upgrading OpenSSL to >= 1.0.0.
Comment 1 Björn Jacke 2011-03-14 17:10:01 UTC
at least bugzilla.samba.org has the blue badge in FF4, even though there is no openssl 1.x istalled. All servers will be updated sooner or later anyhow and get support for that by the new openssl version then, right? We won't update a server just to support "this nice to have" rfc 5746 stuff, so I'm closing this as a "worksforme".
Comment 2 Matt McCutchen 2011-03-14 17:44:20 UTC
I retested all the Samba sites, and they appear to be fixed now.

(In reply to comment #1)
> at least bugzilla.samba.org has the blue badge in FF4,

security.ssl.treat_unsafe_negotiation_as_broken still defaults to false in Firefox 4, so that means nothing unless you changed the pref manually.

> even though there is no
> openssl 1.x istalled. All servers will be updated sooner or later anyhow and
> get support for that by the new openssl version then, right?

Right.  In fact, openssl 0.9.8g-15+lenny10 with renegotiation indication support (backported from newer upstream openssl) was released on January 6, and the feature had been in squeeze long before that.

> We won't update a
> server just to support "this nice to have" rfc 5746 stuff, so I'm closing this
> as a "worksforme".

The correct resolution in such a case would be WONTFIX.  But the problem is in fact fixed.
Comment 3 Björn Jacke 2011-03-14 19:51:31 UTC
thanks for the feedback, Matt!