tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject [SECURITY] CVE-2009-3555 SSL Man-In-The-Middle attack - Status update
Date Fri, 20 Nov 2009 20:11:33 GMT

The purpose of this update is provide information on the current
understanding so users are better informed when making decisions
regarding risk mitigation for this issue in their environment.

Work on the root cause is progressing but is still in a state of flux.
Discussion is focussed on workarounds that could be applied that would
allow server initiated renegotiation without exposing the participants
to the vulnerability described in CVE-2009-3555.

BIO Connector

The HTTP BIO connector that ships with 6.0.20 and 5.5.28 supports client
and server initiated negotiation and is vulnerable to CVE-2009-3555.

A patch [1],[2] has been applied to trunk, 6.0.x and 5.5.x that provides
an option to disable renegotiation. This patch has an issue in that it
uses an asynchronous callback to close the connection when a handshake
is detected. It is theoretically possible for an attack to complete
before the connection is closed. When negotiation is disabled, both
server and client initiated attempts to renegotiate are logged.

An updated patch [3] has been applied to trunk and proposed for 6.0.x
and 5.5.x that resolves the asynchronous concerns but only logs server
initiated renegotiation.

Users of 6.0.20, 5.5.28 and earlier versions can apply either of the
patches. It will be necessary to build Tomcat from source to use these

Testing with both these patches has shown that using the connector
attributes clientAuth="want" and allowUnsafeLegacyRenegotiation="false"
provides a similar user experience during negotiation to
clientAuth="false" and allowUnsafeLegacyRenegotiation="true" although
this may vary by application.

It is anticipated that 6.0.21 and 5.5.29 releases will be made once the
situation stabilises and the Tomcat development team is confident that
further changes will not be required.


NIO Connector

The HTTP NIO connector that ships with 6.0.20 does not support client or
server initiated renegotiation and is therefore not vulnerable to

As and when negotiation support is added to the NIO connector, it will
support the allowUnsafeLegacyRenegotiation connector attribute and
behave in a similar manner to the HTTP BIO connector.

APR / native Connector

Behaviour of the APR/native connector depends on the version of the
APR/native connector and on the version of OpenSSL that the connector is
build with. Versions prior to APR/native 1.1.16 are not discussed.

The windows binaries available from the ASF have been built with the
following OpenSSL versions:

APR/native  OpenSSL
1.1.16      0.9.8i
1.1.17      0.9.8l
1.1.18      TBD - not yet released

Any version of the APR/native connector built with OpenSSl 0.9.8l will
not support client or server initiated negotiation and will, therefore,
not be vulnerable to CVE-2009-3555.

Client initiated negotiation is supported in 1.1.16 and 1.1.17. These
versions are, therefore, vulnerable to CVE-2009-3555 unless built with
OpenSSL 0.9.8l.

Client initiated negotiation has been disabled in 1.1.18. Therefore,
this version is not vulnerable to CVE-2009-3555 via client initiated
renegotiation although it may still be vulnerable via server initiated

Server initiated renegotiation is supported in 1.1.17 onwards.
Therefore, 1.1.17 onwards is vulnerable to CVE-2009-3555 via server
initiated renegotiation unless the APR/native connector is built with
OpenSSL 0.9.8l.

Questions / comments

Any questions or comments should be directed to the Tomcat users mailing
list in the first instance.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message