Description of problem:
Certain sequences of per-directory renegotiations and the SSLCipherSuite
directive being used to upgrade from a weak ciphersuite to a strong one could
result in the weak ciphersuite being used in place of the strong one.
Version-Release number of selected component (if applicable):
all versions of mod_ssl, all versions of httpd before 2.0.47
*** Bug 101784 has been marked as a duplicate of this bug. ***
This bug was opened on July 9 to address a security issue and it remains
a "NEW" status issue. When can we expect movement on this so that Redhat
users and RHN subscribers aren't being encouraged to use outdated and insecure
I guess it should really be "assigned" since we did start through our internal
errata process which will lead to an errata. This issue is classed as a low
priority however as the SSL renegotiation options were for a long time
considered experimental and are rarely used.
An errata has been issued which should help the problem described in this bug report.
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen
this bug report if the solution does not work for you.