nginx 0.7.64 and CVE-2009-3555 TLS / SSL renegotiation

Maxim Dounin mdounin at mdounin.ru
Sun Feb 14 14:36:56 MSK 2010


Hello!

On Sat, Feb 13, 2010 at 11:45:15PM -0600, JW wrote:

> On Friday 12 February 2010 07:10:18 pm Maxim Dounin wrote:
> 
> > Test is simple: run
> >
> > openssl s_client -connect <host>:443
> >
> > and once connection is established press 'R' and hit enter to
> > trigger renegotiation.
> >
> > Without the patch renegotiation will happend and connection will
> > stay alive.  And you will be able to issue normal http request after
> > (something like "GET / HTTP/1.0").  With patch connection will be
> > dropped.
> 
> This is what I get:
> 
> ---
> R
> RENEGOTIATING
> 21395:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake 
> failure:s3_pkt.c:530:
> 
> So does that mean that actually the server is not vulnerable?

Yes.  This means that you have patched nginx running, and it closes 
connection once it detects renegotiation attempt.  You aren't 
vulnerable.

Maxim Dounin



More information about the nginx mailing list