>1) a fixed OpenSSL. > NetBSD-SA2010-002 says netbsd-5 and netbsd-5-0 were fixed on 2010-01-12, > and 5.0.2 and 5.1 were released later, so theses to releases should be > alright. "fixed" means here that SSL renegotiation was disabled. There is a way to enable it (FLAG_UNSAFE_LEGACY_RENEGOTIATION). This was introduced in OpenSSL-0.9.8l and immediately dropped in 0.9.8m because it was considered wrong. This was pulled into NetBSD-5 but it is almost useless because not supported by modern software. It is also problematic because the same flag value was reused by OpenSSL>=1.0 for something different. While the OpenSSL in 5.1 calls itself "0.9.9-devel", it does not implement RFC5746 which was introduced in 0.9.8m. >2) a fixed apache that supports RFC 5746. According to this document, > 2.2.15 seems to support RFC 5746 Yes, but it does not support the short-lived FLAG_UNSAFE_LEGACY_RENEGOTIATION which is the only way to get renegotiation with the OpenSSL version in NetBSD-5.1. You could try to build apache against pkgsrc/openssl which is 0.9.8q and thus supports RFC5746. (and the OP_UNSAFE_LEGACY_RENEGOTIATION option which can also be used by apache according to "grep") best regards Matthias ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDirig Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender), Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Besuchen Sie uns auf unserem neuen Webauftritt unter www.fz-juelich.de