httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l
Date Sun, 15 Nov 2009 21:53:05 GMT
Hi,

On Tuesday 10 November 2009, Jean-Marc Desperrier wrote:
> So when Apache is compiled with openssl 0.9.8l, TLS renegotiation
>  will be fully disabled.
> 
> But the problem with that if that some comments of the discussion
>  inside https://issues.apache.org/bugzilla/show_bug.cgi?id=39243
>  are true, this change will unexpectedly break very badly a *lot*
>  of sites.
> 
> Those comments suggest Apache currently requests TLS renegotiation
>  in quite a few cases where it should not be needed, and where it
>  won't be expected.
> 
> First there's the short SSLSessionCacheTimeout problem :
> https://issues.apache.org/bugzilla/show_bug.cgi?id=39243#c23
> 
> In my understanding, SSLSessionCacheTimeout should never cause
> renegociation. If the client tries to do a SSL session resume, and
>  the server does not have the SSL info for that SSL id anymore, the
>  result is a brand new SSL Session, *not* a SSL renegotiation.
> 
> If they actually are resumes caused by SSLSessionCacheTimeout, then
>  it seems SSLSessionCacheTimeout times out sessions that are
>  currently active at the TCP level, and where the user is just
>  trying to send more data. Or there's a bug in the resume code that
>  first says yes, then finds the session id should have been timed
>  out, so forces a renegotiation. Anyway, this means this was
>  already broken in some way before, but it used to be of little
>  consequences and will now be a huge problem.
> 
> Second there's the SSLVerifyClient optional problem :
> https://issues.apache.org/bugzilla/show_bug.cgi?id=39243#c21
> 
> When SSLVerifyClient optional is actually used to allow various
> authentication level, it's expected that the change will break the
>  site.
> 
> But what this comment report is that simply having SSLVerifyClient
> optional set, not having any different value anywhere, not even
>  *using* client certificates, will cause renegotiation to happen
>  and therefore sites to break when TLS renegotiation is disabled.
> And Peter Gutmann just reported on oss-sec that they are many
>  servers configured like this (see
>  http://seclists.org/oss-sec/2009/q4/138 ) with their admin not
>  even knowing that they require client certificates.
> 
> According to the following comment, it might be that a very simple
>  patch would correct this problems :
> https://issues.apache.org/bugzilla/show_bug.cgi?id=39243#c16
> (I've checked the svn code for apache 2.2.x, that piece of code is
>  still exactly the same, but I don't understand enough to be sure
>  that just handling the "optional" case in addition to the "none"
>  case would really be enough to solve the problem)
> 

I cannot reproduce the problems. With an openssl that rejects all 
renegotiations, both reconnections after ssl session timeout and 
connections to a host with sslverifyclient optional work fine (with 
openssl s_client).

Cheers,
Stefan

Mime
View raw message