Disable renegotiation.

author: Ben Laurie <ben@openssl.org> 2009-11-05 11:28:37 +0000
committer: Ben Laurie <ben@openssl.org> 2009-11-05 11:28:37 +0000
commit: 949fbf073ad23fc0a25aa12011a0325901416180 (patch)
tree: 4af836aff2c867e11fde629a27338b4d71cb0a0a /CHANGES
parent: 6156be4da3ab60c1426e21332f91d560c8c10c82 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index 800288673d..73cc1dec30 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,13 @@
 
  Changes between 0.9.8k and 0.9.8l  [xx XXX xxxx]
 
+  *) Disable renegotiation completely - this fixes a severe security
+     problem at the cost of breaking all renegotiation. Renegotiation
+     can be re-enabled by setting
+     OPENSSL_ENABLE_UNSAFE_LEGACY_SESSION_RENEGOTATION at
+     compile-time. This is really not recommended.
+     [Ben Laurie]
+
   *) Fixes to stateless session resumption handling. Use initial_ctx when
      issuing and attempting to decrypt tickets in case it has changed during
      servername handling. Use a non-zero length session ID when attempting
author	Ben Laurie <ben@openssl.org>	2009-11-05 11:28:37 +0000
committer	Ben Laurie <ben@openssl.org>	2009-11-05 11:28:37 +0000
commit	949fbf073ad23fc0a25aa12011a0325901416180 (patch)
tree	4af836aff2c867e11fde629a27338b4d71cb0a0a /CHANGES
parent	6156be4da3ab60c1426e21332f91d560c8c10c82 (diff)