VU#120541/CVE-2009-3555 and IMAPS/POPS with nginx
Maxim Dounin
mdounin at mdounin.ru
Sat Nov 21 03:12:15 MSK 2009
Hello!
On Fri, Nov 20, 2009 at 03:14:29PM -0800, Quanah Gibson-Mount wrote:
> I've patched nginx, and tested https, POPS, and IMAPS. https fails
> correctly:
>
> ---
> R
> RENEGOTIATING
>
> 3915:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
> failure:s3_pkt.c:529:
>
> However, POPS and IMAPS do not:
>
> ---
> * OK IMAP4 ready
> R
> RENEGOTIATING
>
> <hangs forever>
>
> ---
> +OK POP3 ready
> R
> RENEGOTIATING
>
> <hangs forever>
>
> It seems the patch only correctly handles HTTPS, and not these other
> protocols.
What patch you used, nginx version and openssl version? Recent
nginx versions (0.8.23+, 0.7.64) already has workarounds for older
openssl libraries and correctly disable renegotiation in all
mentioned cases, closing connection immediately. At least they do
so on all openssl versions I've tested.
The only connection hang till timeout I'm aware of is proxy_pass
https://... when backend asks for renegotiation. It isn't easy
to catch this case without touching openssl code (or enabling
renegotiation), so it was left as is. After all, it's openssl
problem.
Maxim Dounin
More information about the nginx
mailing list