httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: TLS renegotiation attack, mod_ssl and OpenSSL
Date Fri, 06 Nov 2009 22:27:02 GMT


On 11/06/2009 10:58 PM, Dirk-Willem van Gulik wrote:
> So what are the next steps here ?
> 
> -    Joe's patch is final.
> 
> -    Give the community the advice 'immediately' - with a website
>     update and an email to announce:
> 
>     Apache httpd is affected by CVE-XXXX (The SSL Injectin
>     or MiM attack).
> 
>     We strongly urge you to upgrade to OpenSSL 0.9.8l; and be
>     prepared to deploy 0.9.8m as it becomes available.
> 
>     For those who are not able to upgrade swiftly and/or for those
>     who need detailed logging - we recommend that you roll out
>     this patch (URL) as soon as possible.

I guess no one who needs server triggered renegotiation in its configuration
can upgrade to 0.9.8l as to my understanding *all* renegotiations
are simply turned off in 0.9.8l. So these people can only go with
our patch or a fresh release of httpd and are still *vulnerable* in those URL
spaces that are somehow "protected" by these renegotiations.
I guess how much in the cert case also depends on the clients browser settings
and its user (does it send a certificate even though the original request
by the browser did not request one?)

>     If you are unable to patch and unable to roll our a newer
>     version of OpenSSL then we recommend that you ensure that
>     you limit your configuratin to a single 'SSLClient require'
>     or 'SSLClient none' at VirtualHost/Sever level and remove
>     all other (re)negotiation changes. However this does NOT
>     fully protect you - it just curtails authentication.
> 
>     A version with this patch, Apache 2.2.15, is currently
>     beeing readied; there are no plans for a backport to
>     1.3.X at this time.
> 
> -    Check how much we have on the roster in - and either release
>     a 2.x with just this CVE - or a more wrapped up one ?
> 
> Do we need to backport this for the 1.3.42 branch ?

Note that mod_ssl is not part of 1.3.x but a separate project.
So only 2.0.x might be worth a thought.

Regards

RĂ¼diger


Mime
View raw message