tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <>
Subject Re: SSL MITM status update
Date Fri, 20 Nov 2009 09:26:32 GMT
Sounds good to me, thanks!

Info not yet ready for users@: On dev@httpd there is discusion, whether
to fix request splicing attacks by dropping the buffer, therefore
effectively not allowing to combine a partial request before reneg with
the request coming after the reneg. Although we don't know yet, whether
that is the only attack possible, all scenarios I have heard of use
request splicing.

Discussion and testing whether this breaks clients still has to proceed.
I think it's not a reason to prevent a release here, but there might be
more fine grained workarounds for the attack in combination with
server-initiated reneg feasable.



On 20.11.2009 00:20, Mark Thomas wrote:
> Feedback / comments on the info below. I'd like to get it out to users@
> and announce@ fairly soon.
> Cheers,
> Mark
> ===================================================
> Overview
> ========
> Work on the root cause is progressing but is still in a state of flux.
> The purpose of this update is provide information on the current
> understanding so users are better informed when making decisions
> regarding risk mitigation for this issue in their environment.
> BIO Connector
> =============
> The HTTP BIO connector that ships with 6.0.20 and 5.5.28 supports client
> and server initiated negotiation and is vulnerable to CVE-2009-3555.
> A patch [1] has been applied to trunk, 6.0.x and 5.5.x that provides an
> option to disable renegotiation. This patch has an issue in that it uses
> an asynchronous callback to close the connection when a handshake is
> detected. It is theoretically possible for an attack to complete before
> the connection is closed. When negotiation is disabled, both server and
> client initiated attempts to renegotiate are logged.
> An updated patch [2] has been applied to trunk and proposed for 6.0.x
> and 5.5.x that resolves the asynchronous concerns but only logs server
> initiated renegotiation.
> Users of 6.0.20, 5.5.28 and earlier versions can apply either of the
> patches. It will be necessary to build Tomcat from source to use these
> patches.
> Testing with both these patches has shown that using the connector
> attributes clientAuth="want" and allowUnsafeLegacyRenegotiation="false"
> provides a similar user experience during negotiation to
> clientAuth="false" and allowUnsafeLegacyRenegotiation="true" although
> this may vary by application.
> It is anticipated that 6.0.21 and 5.5.29 releases will be made once the
> situation stabilises and the Tomcat development team is confident that
> further changes will not be required.
> NIO Connector
> =============
> The HTTP NIO connector that ships with 6.0.20 and 5.5.28 does not
> support client or server initiated renegotiation and is therefore not
> vulnerable to CVE-2009-3555.
> As and when negotiation support is added to the NIO connector, it will
> support the allowUnsafeLegacyRenegotiation connector attribute and
> behave in a similar manner to the HTTP BIO connector.
> APR / native Connector
> ======================
> Behaviour of the APR/native connector depends on the version of the
> APR/native connector and on the version of OpenSSL that the connector is
> build with. Versions prior to APR/native 1.1.16 are not discussed.
> The windows binaries available from the ASF have been built with the
> following OpenSSL versions:
> APR/native  OpenSSL
> 1.1.16      0.9.8i
> 1.1.17      0.9.8l
> 1.1.18      0.9.8k - TBC
> Any version of the APR/native connector built with OpenSSl 0.9.8l will
> not support client or server initiated negotiation and will, therefore,
> not be vulnerable to CVE-2009-3555.
> Client initiated negotiation is supported in 1.1.16 and 1.1.17. These
> versions are, therefore, vulnerable to CVE-2009-3555 unless built with
> OpenSSL 0.9.8l.
> Client initiated negotiation has been disabled in 1.1.18. Therefore,
> this version is not vulnerable to CVE-2009-3555 via client initiated
> renegotiation although it may still be vulnerable via server initiated
> renegotiation.
> Server initiated renegotiation is supported in 1.1.17 onwards.
> Therefore, 1.1.17 onwards is vulnerable to CVE-2009-3555 via server
> initiated renegotiation unless the APR/native connector is built with
> OpenSSL 0.9.8l.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message