nginx 0.7.64 and CVE-2009-3555 TLS / SSL renegotiation

JW jw at
Sat Feb 13 02:28:15 MSK 2010

I'm running nginx/0.7.64, compiled from source.

The top of the changelog that came with the source says:

Changes with nginx 0.7.64                                        16 Nov 2009

    *) Security: now SSL/TLS renegotiation is disabled.
       Thanks to Maxim Dounin.

Also says:

The renegotiation vulnerability in SSL protocol
Severity: major
VU#120541  CVE-2009-3555
Not vulnerable: 0.8.23+, 0.7.64+

I also checked against and the 
source I have does seem to contain that patch.

However, I've had a scanning vendor tell me I'm still vulnerable to the 

" . . . service allows renegotiation of TLS / SSL connections."

and references CVE-2009-3555

What can I do in order to make sure this is fixed please?




System Administrator - Cedar Creek Software

More information about the nginx mailing list