nginx 0.7.64 and CVE-2009-3555 TLS / SSL renegotiation

JW jw at
Sun Feb 14 08:45:15 MSK 2010

On Friday 12 February 2010 07:10:18 pm Maxim Dounin wrote:

> Test is simple: run
> openssl s_client -connect <host>:443
> and once connection is established press 'R' and hit enter to
> trigger renegotiation.
> Without the patch renegotiation will happend and connection will
> stay alive.  And you will be able to issue normal http request after
> (something like "GET / HTTP/1.0").  With patch connection will be
> dropped.

This is what I get:

21395:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake 

So does that mean that actually the server is not vulnerable?

> Note well:
> 1. You need openssl <= 0.9.8k (unpatched one, not 'l'!) on
> client to test it, as in 0.9.8l renegotiation is completely broken
> by default and connection will just hang.

Got it on client.

> 2. With openssl 0.9.8l on server connection will hang, too.  This
> means that you aren't vulnerable, but it's not easy to distinguish
> this case from the case with 0.9.8l on client (which just doesn't
> allow you to test).

Server has an older version

> 3. First of all you should patch openssl, not nginx.  Once you'll
> patch openssl on your system all programs which use it will be
> safe, not just nginx.

Unfortunately our OS vendor has not yet released a patch for openssl.



System Administrator - Cedar Creek Software

More information about the nginx mailing list