Apply by doing: cd /usr/src patch -p0 < 004_openssl.patch And then rebuild and install the library and statically-linked binaries that depend upon it: cd lib/libssl make obj make depend make includes make make install cd ../../sbin make obj make depend make make install Index: lib/libssl/src/ssl/s3_lib.c =================================================================== RCS file: /cvs/src/lib/libssl/src/ssl/s3_lib.c,v retrieving revision 1.14 retrieving revision 1.14.6.1 diff -u -p -r1.14 -r1.14.6.1 --- lib/libssl/src/ssl/s3_lib.c 5 Jan 2009 21:36:39 -0000 1.14 +++ lib/libssl/src/ssl/s3_lib.c 17 Nov 2009 14:34:52 -0000 1.14.6.1 @@ -2592,6 +2592,9 @@ int ssl3_renegotiate(SSL *s) if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) return(0); + if (!(s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) + return(0); + s->s3->renegotiate=1; return(1); } Index: lib/libssl/src/ssl/s3_pkt.c =================================================================== RCS file: /cvs/src/lib/libssl/src/ssl/s3_pkt.c,v retrieving revision 1.13 retrieving revision 1.13.6.1 diff -u -p -r1.13 -r1.13.6.1 --- lib/libssl/src/ssl/s3_pkt.c 9 Jan 2009 12:15:52 -0000 1.13 +++ lib/libssl/src/ssl/s3_pkt.c 17 Nov 2009 14:34:52 -0000 1.13.6.1 @@ -985,6 +985,7 @@ start: if (SSL_is_init_finished(s) && !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && + (s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) && !s->s3->renegotiate) { ssl3_renegotiate(s); @@ -1117,7 +1118,8 @@ start: if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake) { if (((s->state&SSL_ST_MASK) == SSL_ST_OK) && - !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) + !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && + (s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { #if 0 /* worked only because C operator preferences are not as expected (and * because this is not really needed for clients except for detecting Index: lib/libssl/src/ssl/s3_srvr.c =================================================================== RCS file: /cvs/src/lib/libssl/src/ssl/s3_srvr.c,v retrieving revision 1.23 retrieving revision 1.23.6.1 diff -u -p -r1.23 -r1.23.6.1 --- lib/libssl/src/ssl/s3_srvr.c 9 Jan 2009 12:15:52 -0000 1.23 +++ lib/libssl/src/ssl/s3_srvr.c 17 Nov 2009 14:34:52 -0000 1.23.6.1 @@ -718,6 +718,14 @@ int ssl3_get_client_hello(SSL *s) #endif STACK_OF(SSL_CIPHER) *ciphers=NULL; + if (s->new_session + && !(s->s3->flags&SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) + { + al=SSL_AD_HANDSHAKE_FAILURE; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); + goto f_err; + } + /* We do this so that we will respond with our native type. * If we are TLSv1 and we get SSLv3, we will respond with TLSv1, * This down switching should be handled by a different method. Index: lib/libssl/src/ssl/ssl_locl.h =================================================================== RCS file: /cvs/src/lib/libssl/src/ssl/ssl_locl.h,v retrieving revision 1.15 retrieving revision 1.15.6.1 diff -u -p -r1.15 -r1.15.6.1 --- lib/libssl/src/ssl/ssl_locl.h 9 Jan 2009 12:15:52 -0000 1.15 +++ lib/libssl/src/ssl/ssl_locl.h 17 Nov 2009 14:34:52 -0000 1.15.6.1 @@ -401,6 +401,8 @@ #define NAMED_CURVE_TYPE 3 #endif /* OPENSSL_NO_EC */ +#define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0010 + typedef struct cert_pkey_st { X509 *x509;