Comment 10 for bug 1256576

Revision history for this message
Jeffrey Walton (noloader) wrote :

OpenSSL 1.0.1f was released today. http://marc.info/?l=openssl-announce&m=138902140315854&w=2.

There are three CVE remediations included in the release: CVE-2013-4353, CVE-2013-6449, CVE-2013-6450. http://www.openssl.org/news/openssl-1.0.1-notes.html.

There's also an Apple SecureTransport bug workaround. Apple's SecrureTransport does not properly negotiate ECDHE_ECDSA cipher suites. It affects Mac OS X and could affect iOS (you know how Apple is about their security mistakes...). It might be prudent to add SSL_OP_SAFARI_ECDHE_ECDSA_BUG by default. http://<email address hidden>/msg32629.html.

Now might be a good time to revisit TLSv1.1 and TLSv1.2 support.