Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 21223 invoked from network); 16 Nov 2009 22:19:40 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 16 Nov 2009 22:19:40 -0000 Received: (qmail 43187 invoked by uid 500); 16 Nov 2009 22:19:39 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 43099 invoked by uid 500); 16 Nov 2009 22:19:38 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 43090 invoked by uid 99); 16 Nov 2009 22:19:38 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 16 Nov 2009 22:19:38 +0000 X-ASF-Spam-Status: No, hits=-4.0 required=10.0 tests=RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of jorton@redhat.com designates 209.132.183.28 as permitted sender) Received: from [209.132.183.28] (HELO mx1.redhat.com) (209.132.183.28) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 16 Nov 2009 22:19:30 +0000 Received: from int-mx04.intmail.prod.int.phx2.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.17]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id nAGMJ6df016245 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 16 Nov 2009 17:19:06 -0500 Received: from turnip.manyfish.co.uk (vpn-10-232.rdu.redhat.com [10.11.10.232]) by int-mx04.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id nAGMJ4Ht028816 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 16 Nov 2009 17:19:05 -0500 Received: from jorton by turnip.manyfish.co.uk with local (Exim 4.69) (envelope-from ) id 1NA9uZ-00056V-4z; Mon, 16 Nov 2009 22:19:03 +0000 Date: Mon, 16 Nov 2009 22:19:03 +0000 From: Joe Orton To: Hartmut Keil Cc: dev@httpd.apache.org Subject: Re: handling request splicing in case of server initiated renegotiation CVE-2009-3555 Message-ID: <20091116221903.GB18036@redhat.com> Mail-Followup-To: Hartmut Keil , dev@httpd.apache.org References: <4B01BD20.1060300@adnovum.ch> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <4B01BD20.1060300@adnovum.ch> User-Agent: Mutt/1.5.19 (2009-01-05) Organization: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in UK and Wales under Company Registration No. 03798903 Directors: Michael Cunningham (USA), Brendan Lane (Ireland), Matt Parson (USA), Charlie Peters (USA) X-Scanned-By: MIMEDefang 2.67 on 10.5.11.17 X-Virus-Checked: Checked by ClamAV on apache.org On Mon, Nov 16, 2009 at 09:59:12PM +0100, Hartmut Keil wrote: > With the change described in https://issues.apache.org/bugzilla/show_bug.cgi?id=48204 > the buffer used in ssl_io_input_read(..) will be reset, and so the second request of > the MITM will be dropped. > The first request will be executed, but since there is no Cookie from the victim is the > less dangerous one. Thanks for posting. So you are proposing that mod_ssl discards any decoded app-data message (i.e. HTTP traffic) *subsequent* to the data making up the request which triggered the renegotiation, but before the renegotiation occurs. This change would prevent a variant of the renegotiation prefix attack against a site which uses both client cert auth in a per-dir/location context, *and* HTTP-level authentication. It makes no difference to a vulnerable site relying only on client cert auth in per-dir/loc context; this would still be vulnerable. This would break HTTP pipelining over SSL (for affected configurations), and it might not fail gracefully - the server would appear to simply never receive the pipelined requests. I'm relucant to do that. A similar solution which detected pending buffered bytes after completing the handshake (SSL_pending(ssl) does this), and giving a hard failure (TLS level or HTTP level) might be better, but I haven't thought that through in detail. Regards, Joe