tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jens Neu <jens....@biotronik.com>
Subject CVE-2009-3555 fix in tomcat-native-1.1.19?!
Date Fri, 15 Jan 2010 16:35:21 GMT
Dear all,

I just installed the tomcat-native-1.1.19 APR connector alongside 
tomcat-6.0.20 - since my understanding of its CHANGELOG.txt is, that the 
renegotiation vulnerability should be gone when using this APR connector, 
despite my openssl version beeing below 0.9.8l (since I'm on 
CentOS/RHEL5).

It installed fine, tomcat runs fine to, APR connector is used (according 
to catalina.out), everything seems shiny BUT:

<code>
7:jens@eluveitie:~> openssl s_client -connect 10.0.8.193:8443
CONNECTED(00000003)
[...]
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 
3A9B50B20A6B3F62DE137E5642240DE0018863D3ED86B8EADAA5E46436D589E5
    Session-ID-ctx: 
    Master-Key: 
C579C042442C519FE02CF96A050EDAAD208C421E2FD1CA6E20DC818A13A7ABC5306AACFFDF36A440A3E1FED43CCDCB59
    Key-Arg   : None
    Start Time: 1263572654
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---


GET / HTTP/1.0
Host:evil.com
R


RENEGOTIATING
depth=1 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting 
cc/OU=Certification Services Division/CN=Thawte Premium Server 
CA/emailAddress=premium-server@thawte.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
5253:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake 
failure:s3_pkt.c:530:
</code>


the GET / HTTP/1.0 until the "R" is manually inserted, I expect something 
like

<code>
2860:error:1409444C:SSL routines:SSL3_READ_BYTES:tlsv1 alert no
renegotiation:./ ssl/s3_pkt.c:1053:SSL alert number 100
</code>

but certainly no RENEGOTIATION. Any hints?

System is CentOS 5.4, packages:
openssl-0.9.8e-12.el5
apr-devel-1.2.7-11.el5_3.1
apr-1.2.7-11.el5_3.1


thanks in advance! (probably will be afk for the weekend)
regards

Jens Neu
Health Services Network Administration

Phone: +49 (0) 30 68905-2412
Mail: jens.neu@biotronik.de


www.biotronik.com

BIOTRONIK SE & Co. KG
Woermannkehre 1, 12359 Berlin, Germany
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501

Vertreten durch ihre Komplementärin:
BIOTRONIK MT SE
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B
Vorsitzender des Verwaltungsrats: Dr. Max Schaldach
Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr. 
Lothar Krings

BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management 
systems and Vascular Intervention devices. Quality, innovation, and 
reliability define BIOTRONIK and our growing success. We are innovators of 
technologies like the first wireless remote monitoring system - Home 
Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as 
state-of-the-art stents, balloons and guide wires for coronary and 
peripheral indications. We highly invest in the development of drug 
eluting devices and are leading the industry with our bioabsorbable metal 
stent program.

This e-mail and the information it contains including attachments are 
confidential and meant only for use by the intended recipient(s); 
disclosure or copying is strictly prohibited. If you are not addressed, 
but in the possession of this e-mail, please notify the sender immediately 
and delete the document.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message