tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: SSL MITM status update
Date Fri, 20 Nov 2009 09:41:45 GMT
Rainer Jung wrote:
> Sounds good to me, thanks!
> Info not yet ready for users@: On dev@httpd there is discusion, whether
> to fix request splicing attacks by dropping the buffer, therefore
> effectively not allowing to combine a partial request before reneg with
> the request coming after the reneg. Although we don't know yet, whether
> that is the only attack possible, all scenarios I have heard of use
> request splicing.
> Discussion and testing whether this breaks clients still has to proceed.
> I think it's not a reason to prevent a release here, but there might be
> more fine grained workarounds for the attack in combination with
> server-initiated reneg feasable.

Thanks. I'll add something to the first paragraph along the lines of:
"Discussion is focussed on workarounds that could be applied that would
allow server initiated renegotiation without exposing the participant to
the vulnerability described in CVE-2009-3555."

Unless anyone complains, I'll send this out later today.


> Regards,
> Rainer
> On 20.11.2009 00:20, Mark Thomas wrote:
>> Feedback / comments on the info below. I'd like to get it out to users@
>> and announce@ fairly soon.
>> Cheers,
>> Mark
>> ===================================================
>> Overview
>> ========
>> Work on the root cause is progressing but is still in a state of flux.
>> The purpose of this update is provide information on the current
>> understanding so users are better informed when making decisions
>> regarding risk mitigation for this issue in their environment.
>> BIO Connector
>> =============
>> The HTTP BIO connector that ships with 6.0.20 and 5.5.28 supports client
>> and server initiated negotiation and is vulnerable to CVE-2009-3555.
>> A patch [1] has been applied to trunk, 6.0.x and 5.5.x that provides an
>> option to disable renegotiation. This patch has an issue in that it uses
>> an asynchronous callback to close the connection when a handshake is
>> detected. It is theoretically possible for an attack to complete before
>> the connection is closed. When negotiation is disabled, both server and
>> client initiated attempts to renegotiate are logged.
>> An updated patch [2] has been applied to trunk and proposed for 6.0.x
>> and 5.5.x that resolves the asynchronous concerns but only logs server
>> initiated renegotiation.
>> Users of 6.0.20, 5.5.28 and earlier versions can apply either of the
>> patches. It will be necessary to build Tomcat from source to use these
>> patches.
>> Testing with both these patches has shown that using the connector
>> attributes clientAuth="want" and allowUnsafeLegacyRenegotiation="false"
>> provides a similar user experience during negotiation to
>> clientAuth="false" and allowUnsafeLegacyRenegotiation="true" although
>> this may vary by application.
>> It is anticipated that 6.0.21 and 5.5.29 releases will be made once the
>> situation stabilises and the Tomcat development team is confident that
>> further changes will not be required.
>> NIO Connector
>> =============
>> The HTTP NIO connector that ships with 6.0.20 and 5.5.28 does not
>> support client or server initiated renegotiation and is therefore not
>> vulnerable to CVE-2009-3555.
>> As and when negotiation support is added to the NIO connector, it will
>> support the allowUnsafeLegacyRenegotiation connector attribute and
>> behave in a similar manner to the HTTP BIO connector.
>> APR / native Connector
>> ======================
>> Behaviour of the APR/native connector depends on the version of the
>> APR/native connector and on the version of OpenSSL that the connector is
>> build with. Versions prior to APR/native 1.1.16 are not discussed.
>> The windows binaries available from the ASF have been built with the
>> following OpenSSL versions:
>> APR/native  OpenSSL
>> 1.1.16      0.9.8i
>> 1.1.17      0.9.8l
>> 1.1.18      0.9.8k - TBC
>> Any version of the APR/native connector built with OpenSSl 0.9.8l will
>> not support client or server initiated negotiation and will, therefore,
>> not be vulnerable to CVE-2009-3555.
>> Client initiated negotiation is supported in 1.1.16 and 1.1.17. These
>> versions are, therefore, vulnerable to CVE-2009-3555 unless built with
>> OpenSSL 0.9.8l.
>> Client initiated negotiation has been disabled in 1.1.18. Therefore,
>> this version is not vulnerable to CVE-2009-3555 via client initiated
>> renegotiation although it may still be vulnerable via server initiated
>> renegotiation.
>> Server initiated renegotiation is supported in 1.1.17 onwards.
>> Therefore, 1.1.17 onwards is vulnerable to CVE-2009-3555 via server
>> initiated renegotiation unless the APR/native connector is built with
>> OpenSSL 0.9.8l.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message