VU#120541/CVE-2009-3555 and IMAPS/POPS with nginx
mdounin at mdounin.ru
Sat Nov 21 03:51:57 MSK 2009
On Fri, Nov 20, 2009 at 04:18:10PM -0800, Quanah Gibson-Mount wrote:
> --On Saturday, November 21, 2009 3:12 AM +0300 Maxim Dounin
> <mdounin at mdounin.ru> wrote:
> >On Fri, Nov 20, 2009 at 03:14:29PM -0800, Quanah Gibson-Mount wrote:
> >>I've patched nginx, and tested https, POPS, and IMAPS. https fails
> >What patch you used, nginx version and openssl version? Recent
> >nginx versions (0.8.23+, 0.7.64) already has workarounds for older
> >openssl libraries and correctly disable renegotiation in all
> >mentioned cases, closing connection immediately. At least they do
> >so on all openssl versions I've tested.
> nginx-0.5.37 + security patches
> (<http://sysoev.ru/nginx/patch.cve-2009-3555.txt>, etc)
> openssl 0.9.8l
> As I noted, it correctly hangs up HTTPS. It leaves POPS and IMAPS open.
Just tested - works ok here.
Are you sure you aren't used openssl 0.9.8l s_client for
imaps/pop3s tests? It has renegotiation disabled and can't be
used for testing ("R" only prints "RENEGOTIATING" and do nothing).
More information about the nginx