httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hartmut Keil <Hartmut.K...@adnovum.ch>
Subject Re: handling request splicing in case of server initiated renegotiation CVE-2009-3555
Date Thu, 19 Nov 2009 15:05:34 GMT
Joe Orton wrote:
> On Tue, Nov 17, 2009 at 06:12:41PM +0100, Hartmut Keil wrote:
>> The client must stop and wait for the response in any case, otherwise the
>> response of a subsequent request will get lost, if the server is not configured
>> for keep-alive, or the response for the first request causes the server to close
>> the connection:
> 
> It's not the case that clients "must stop and wait" - read RFC 2616 for 
> a description of HTTP pipelining.


Your right, I missed that point.

According http://www.w3.org/Protocols/rfc2616/rfc2616-sec8.html#sec8.1.2.2

"...Clients MUST also be prepared to resend their requests if the server closes the connection
before sending all
of the corresponding responses. ...."

we are allowed to close the keepalive connection, after sending the response.

With the proposed change, we prevent request splitting attacks based on the TSL renegotiation
flaw. From
my point of view without drawbacks, since 'pipelining' clients must handle the closing of
a connection after
a complete response in any case.


Regards
Hartmut





--- ssl_engine_io.c.patched     2009-11-16 10:57:23.416525000 +0100
+++ ssl_engine_io.c     2009-11-19 15:52:28.852264000 +0100
@@ -478,6 +478,13 @@
         inctx->rc = APR_ECONNABORTED;
         return -1;
     }
+       /* Clear buffer with decrypted data if the server has initiated a renegotiation.*/
+       if (inctx->filter_ctx->config->reneg_state == RENEG_ALLOW) {
+        char_buffer_write(&inctx->cbuf, NULL, 0);
+       /* disable keep alive */
+               conn_rec *c  = (conn_rec *)SSL_get_app_data(inctx->filter_ctx->pssl);
+               c->keepalive = AP_CONN_CLOSE;
+    }

     /* XXX: flush here only required for SSLv2;
      * OpenSSL calls BIO_flush() at the appropriate times for



> 
> Regards, Joe
> 


-- 
AdNovum Informatik AG
Hartmut Keil, Senior Software Engineer
Dipl. Physiker

Roentgenstrasse 22, CH-8005 Zurich
mailto:hartmut.keil@adnovum.ch
phone: +41 44 272 6111, fax: +41 44 272 6312
http://www.adnovum.ch

AdNovum Locations: Bern, Budapest, San Mateo, Zurich (HQ)


Mime
View raw message