httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: TLS renegotiation attack, mod_ssl and OpenSSL
Date Fri, 06 Nov 2009 00:12:20 GMT
On Fri, Nov 06, 2009 at 12:00:06AM +0000, Joe Orton wrote:
> On Thu, Nov 05, 2009 at 09:31:00PM +0000, Joe Orton wrote:
> > * we can detect in mod_ssl when the client is renegotiating by using the 
> > callback installed using SSL_CTX_set_info_callback(), in conjunction 
> > with suitable flags in the SSLConnRec to detect the cases where this is 
> > either a server-initiated renegotiation or the initial handshake on the 
> > connection.
> 
> Here is a very rough first hack (for discussion/testing purposes only!):

FYI - Dirk points out that you can test this using openssl s_client by 
entering a line with the single character 'R' which s_client treats as a 
command to initiate a renegotiation.   Joe

$ openssl s_client ...
---
GET / HTTP/1.1
Host: localhost
R
RENEGOTIATING
139919233795736:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:590:


Mime
View raw message