VU#120541/CVE-2009-3555 and IMAPS/POPS with nginx

Quanah Gibson-Mount quanah at
Sat Nov 21 03:18:10 MSK 2009

--On Saturday, November 21, 2009 3:12 AM +0300 Maxim Dounin 
<mdounin at> wrote:

> Hello!
> On Fri, Nov 20, 2009 at 03:14:29PM -0800, Quanah Gibson-Mount wrote:
>> I've patched nginx, and tested https, POPS, and IMAPS.  https fails
>> correctly:
> What patch you used, nginx version and openssl version?  Recent
> nginx versions (0.8.23+, 0.7.64) already has workarounds for older
> openssl libraries and correctly disable renegotiation in all
> mentioned cases, closing connection immediately.  At least they do
> so on all openssl versions I've tested.

nginx-0.5.37 + security patches 
(<>, etc)
openssl 0.9.8l

As I noted, it correctly hangs up HTTPS.  It leaves POPS and IMAPS open.



Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
Zimbra ::  the leader in open source messaging and collaboration

More information about the nginx mailing list