« We're hiring: I have 3 open positions on my WAF team | Main | Stop complaining and solve a security problem instead »

Debian stable (Lenny) will support secure renegotiation

November 17, 2010

Thijs Kinkhorst from the Debian Security Team wrote to me in response to my recent blog post Disabling SSL renegotiation is a crutch, not a fix. I am publishing his entire comment (with permission):

It's true that Debian stable still doesn't have an openssl which supports the
new protocol enhancement, but it's definately not a refusal to fix it. First
let me note that the fix is already in the upcoming release of Debian,
codename Squeeze. The current stable release, Lenny, does not have the fix
yet, but it is being worked on; an updated openssl is ready but the blocker
currently is that we may need to implement changes in some of the packages
using it. As usual Debian is very cautious with respect to updating its stable
release. It takes a while, and it would have been nice if the fix was out
sooner, but the combination of impacted software takes quite some time and
time is one of the most sought after resources in a volunteer project.

So just so you know that the issue has not been forgotten or ignored; it only
takes "a while" to get everything in order.

Update: The fix was released on January 6, 2011.