httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <>
Subject Re: Reading between the lines; changelog
Date Fri, 05 Mar 2010 22:13:44 GMT
On Fri, Mar 5, 2010 at 4:55 PM, William A. Rowe Jr. <> wrote:
> Anyone looking at the changelog should be terrified of adopting 2.2.15; I'm going
> to modify it thusly (please correct attributions if needed?);
>  *) SECURITY: CVE-2009-3555 (
>     mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
>     attack when compiled against OpenSSL version 0.9.8m or later.

I see what you mean about potential fear; OTOH, maybe "comprehensive
fix" is misleading too.  Joe mentioned adding something to the FAQ
about the issue.  Perhaps that's the only solution.

I feel like we should convey "we've done the best we can as far as we
know; you should definitely use 2.2.15 and 0.9.8m; you'll be fine if
you don't require renegotiation with old/existing clients, but you're
still screwed if you require renegotiation with old/existing clients"

Here's a summary I sent someone recently.


0.9.8k and before
all legacy renegotiation is allowed
secure renegotiation not implemented

legacy renegotiation is allowed only if an API call is made; this API
call isn't suitable for use by mod_ssl, so mod_ssl doesn't exploit it
secure renegotiation not implemented

0.9.8m and later
legacy renegotiation is allowed only if an API call is made; this
release has a new API suitable for use by mod_ssl
secure renegotiation is implemented

mod_ssl in general

client-initiated renegotiation is never needed
server-initiated renegotiation is required for some optional mod_ssl
configurations; if the admin needs to disable server-initiated
renegotiation, they have to consider if their configuration is
impacted and how to mitigate

mod_ssl starting in httpd 2.2.15

* client-initiated renegotiation, legacy or new, is always disabled,
regardless of the level of OpenSSL
* one possible MITM attack against server-initiated legacy
renegotiation is protected against, regardless of the level of
OpenSSL; this is not a complete solution though
* when used with OpenSSL 0.9.8m or later:
** mod_ssl sets a request note as well as a request "envvar" to
indicate whether the client supports secure renegotiation
** the new renegotiation protocol is available with no config changes
** legacy renegotiation is disabled by default
** a new directive is provided to enable legacy renegotiation if that
is required because of the client base


Clients still need to be upgraded to support the new renegotiation protocol.

View raw message