httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: TLS renegotiation attack, mod_ssl and OpenSSL
Date Thu, 05 Nov 2009 22:17:42 GMT


On 11/05/2009 11:03 PM, Dirk-Willem van Gulik wrote:
> Joe Orton wrote:
> 
>> * we can detect in mod_ssl when the client is renegotiating by using the
>> callback installed using SSL_CTX_set_info_callback(), in conjunction
>> with suitable flags in the SSLConnRec to detect the cases where this is
>> either a server-initiated renegotiation or the initial handshake on the
>> connection.
> 
> This seems to work for me - i.e. it calls back exactly when needed
> (rather than EAGAIN like break bubbling up in kernel_io.c) - and it
> _also_ seems to cover the other types of re-negotiation (i.e. other than
> for a Cert) which actually worry me a lot more.
> 
> For the record - this MiM can be done with _all_ type of
> (re)negotiations - for all parameters right ?

As far as I understand it: Yes. One of the examples was regarding cipher spec
renegotiations and I see no reasons why other renegotiations beyond cert and
cipher spec shouldn't be vulnerable.

Regards

RĂ¼diger

Mime
View raw message