29 messages in org.apache.httpd.devTLS renegotiation attack, mod_ssl and...| From | Sent On | Attachments |
|---|---|---|
| Joe Orton | Nov 5, 2009 6:01 am | |
| Peter Sylvester | Nov 5, 2009 7:26 am | |
| Ben Laurie | Nov 5, 2009 7:38 am | |
| Joe Orton | Nov 5, 2009 9:31 am | |
| Ruediger Pluem | Nov 5, 2009 12:37 pm | |
| Joe Orton | Nov 5, 2009 1:30 pm | |
| Dirk-Willem van Gulik | Nov 5, 2009 2:03 pm | |
| Ruediger Pluem | Nov 5, 2009 2:16 pm | |
| Joe Orton | Nov 5, 2009 3:59 pm | |
| Joe Orton | Nov 5, 2009 4:11 pm | |
| Rainer Jung | Nov 5, 2009 4:28 pm | |
| Joe Orton | Nov 5, 2009 7:08 pm | |
| Colm MacCárthaigh | Nov 6, 2009 10:23 am | |
| Dirk-Willem van Gulik | Nov 6, 2009 10:45 am | |
| Dirk-Willem van Gulik | Nov 6, 2009 10:54 am | |
| Colm MacCárthaigh | Nov 6, 2009 10:57 am | |
| Dr Stephen Henson | Nov 6, 2009 10:59 am | |
| Dirk-Willem van Gulik | Nov 6, 2009 1:58 pm | |
| Ruediger Pluem | Nov 6, 2009 2:26 pm | |
| Dirk-Willem van Gulik | Nov 6, 2009 2:31 pm | |
| Joe Orton | Nov 6, 2009 2:48 pm | |
| Dirk-Willem van Gulik | Nov 6, 2009 3:27 pm | |
| Boyle Owen | Nov 9, 2009 1:39 am | |
| Ruediger Pluem | Nov 9, 2009 2:05 am | |
| Jean-Marc Desperrier | Nov 10, 2009 6:19 am | |
| Joe Orton | Nov 10, 2009 6:25 am | |
| fredk2 | Jan 26, 2010 12:04 pm | |
| Dr Stephen Henson | Jan 27, 2010 2:40 pm | |
| Joe Orton | Feb 3, 2010 5:43 am |
| Subject: | TLS renegotiation attack, mod_ssl and OpenSSL | |
|---|---|---|
| From: | Joe Orton (jor...@redhat.com) | |
| Date: | Nov 5, 2009 6:01:03 am | |
| List: | org.apache.httpd.dev | |
With reference to the issue described here:
http://www.ietf.org/mail-archive/web/tls/current/msg03948.html
Considering the impact on mod_ssl, I'm making these assumptions:
1. no HTTP/SSL client initiates a renegotiation of its own accord
2. many mod_ssl configurations do not require a renegotiation to be performed at all
3. some mod_ssl configurations, typically requiring client cert auth in a per-directory/location context, do require the server to initiate a renegotiation.
The longer term plan to fix the vulnerability is to upgrade all clients and servers to support a new TLS extension which allows renegotiations to be performed securely.
Disabling renegotiation completely and unconditionally at SSL toolkit level will break a significant number of installs - I don't think we could deploy that change.
In the short term, I think it would be useful to have a new SSL_OP_* flag which enables rejection of a client-initiated handshake in an SSL server. This will fix the issue for 90% of sites without breaking the remaining 10% (case 3 above), and is a change that can be deployed everywhere.
Regards, Joe