httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vorazzo Manuela <manuela.vora...@siassb.eu>
Subject [users@httpd] TLS Renegotiation
Date Thu, 08 Apr 2010 13:24:31 GMT
Hello everyone.
I've an apache 2.2.11 up and running in a linux suse 10 environment and openssl 0.9.6.g version.

After a network scan they've found that I have to disable TLS Renegotiation support in my
server.
I've seen that I can do this with SSLInsecureRenegotiation off directive in my configuration
file but this is available with apache 2.2.15.
I found this on the web:

*) SECURITY: CVE-2009-3555 (cve.mitre.org)

     mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection

     attack when compiled against OpenSSL version 0.9.8m or later. Introduces

     the 'SSLInsecureRenegotiation' directive to reopen this vulnerability

     and offer unsafe legacy renegotiation with clients which do not yet

     support the new secure renegotiation protocol, RFC 5746.

     [Joe Orton, and with thanks to the OpenSSL Team]

Is there some workaround to do this without upgrade my apache version???
I mean some mod_ssl configuration directives that I can set for bypass the problem/vulnerability???


Thanks in advance.
Greetings

Vorazzo Manuela
*******************Internet Email Confidentiality Footer******************* 
Qualsiasi utilizzo non autorizzato del presente messaggio nonché dei suoi allegati è vietato
e potrebbe costituire reato. Se ha ricevuto per errore il presente messaggio, Le saremmo grati
se ci inviasse, via e-mail, una comunicazione al riguardo e provvedesse nel contempo alla
distruzione del messaggio stesso e dei suoi eventuali allegati. Le dichiarazioni contenute
nel presente messaggio nonche' nei suoi eventuali allegati devono essere attribuite al mittente
e non possono essere necessariamente considerate come autorizzate da SIA-SSB S.p.A.; le medesime
dichiarazioni non impegnano SIA-SSB S.p.A. nei confronti del destinatario o di terzi. SIA-SSB
S.p.A. non si assume alcuna responsabilita' per eventuali intercettazioni, modifiche o danneggiamenti
del presente messaggio e-mail. 
Any unauthorized use of this e-mail or any of its attachments is prohibited and could constitute
an offence. If you are not the intended addressee please advise immediately the sender by
using the reply facility in your e-mail software and destroy the message and its attachments.
The statements and opinions expressed in this e-mail message are those of the author of the
message and do not necessarily represent those of SIA-SSB S.p.A. Besides, The contents of
this message shall be understood as neither given nor endorsed by SIA-SSB S.p.A.. SIA-SSB
S.p.A. does not accept liability for corruption, interception or amendment, if any, or the
consequences thereof.

Mime
View raw message