httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 31505] - SSLCipherSuite can be bypassed during renegotiation
Date Fri, 08 Oct 2004 12:49:37 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=31505>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=31505

SSLCipherSuite can be bypassed during renegotiation





------- Additional Comments From jorton@redhat.com  2004-10-08 12:49 -------
This is what I committed:

http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_kernel.c?r1=1.110&r2=1.111
http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_init.c?r1=1.128&r2=1.129

so now with 0.9.6 you'll simply get a 403 if you try and access a
differently-ciphersuite-protected resource with a client which tries to resume a
session during the renegotiation, and the ciphersuite in the resumed session is
not sufficient.

With 0.9.7 even with such a client, you shouldn't hit the check since OpenSSL
will refuse to resume the session.

This should have all bases covered, have I missed anything?

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message