httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: TLS renegotiation attack, mod_ssl and OpenSSL
Date Mon, 09 Nov 2009 10:06:45 GMT


On 11/09/2009 10:39 AM, Boyle Owen wrote:
>> -----Original Message-----
>> From: Dirk-Willem van Gulik [mailto:dirkx@webweaving.org] 
>> Sent: Saturday, November 07, 2009 12:28 AM
>> To: dev@httpd.apache.org
>> Subject: Re: TLS renegotiation attack, mod_ssl and OpenSSL
>>
>> +1 from me. (FreeBSD, Solaris). Test with and without certs (firefox, 
>> safari, openssl tool). Tested with renegotion break script openssl.
> 
> Can I just verify what is supposed to happen with the break script test?
> 
> I have built 2.2.14 with 0.9.8l on Solaris 10. I do:
> 
> 	$ openssl -connect wibble:443
> 	...
> 	GET / HTTP/1.1  =20
> 	Host:wibble
> 	R
> 	RENEGOTIATING
> 
> Then the connection hangs and I get no further data back from the
> server. On http://wibble/server-status, I see:
> 
> 	6-0 17718 0/1/1 R 0.14 31 90 0.0 0.00 0.00 ? ? ..reading..
> 
> Is this the intended behaviour? I thought it was supposed to drop the
> connection?

Dirks tests are about the httpd patch

(http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/CVE-2009-3555-2.2.patch)

which drops the connection. Not sure what openssl 0.9.8l does or what
the intended behaviour is. You might need to ask on the openssl dev list
about that.

Regards

RĂ¼diger


Mime
View raw message