VU#120541/CVE-2009-3555 and IMAPS/POPS with nginx

Quanah Gibson-Mount quanah at zimbra.com
Sat Nov 21 04:15:13 MSK 2009


--On Saturday, November 21, 2009 3:51 AM +0300 Maxim Dounin 
<mdounin at mdounin.ru> wrote:

> Hello!
>
>
>> nginx-0.5.37 + security patches
>> (<http://sysoev.ru/nginx/patch.cve-2009-3555.txt>, etc)
>> openssl 0.9.8l
>>
>> As I noted, it correctly hangs up HTTPS.  It leaves POPS and IMAPS open.
>
> Just tested - works ok here.
>
> Are you sure you aren't used openssl 0.9.8l s_client for
> imaps/pop3s tests?  It has renegotiation disabled and can't be
> used for testing ("R" only prints "RENEGOTIATING" and do nothing).

[root at perf11 ~]# /usr/bin/openssl version
OpenSSL 0.9.7a Feb 19 2003

[root at perf11 ~]# /usr/bin/openssl s_client -ssl3 -connect 
perf11.lab.zimbra.com:443
CONNECTED(00000003)

[snip]

---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : SSLv3

---
R
RENEGOTIATING
22917:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake 
failure:s3_pkt.c:529:

As you can see, HTTPS correctly hangs up.

[root at perf11 ~]# /usr/bin/openssl s_client -ssl3 -connect 
perf11.lab.zimbra.com:993
CONNECTED(00000003)

[snip]
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : SSLv3


---
* OK IMAP4 ready
R
RENEGOTIATING


(hang for over 20 minutes)

--Quanah




--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration





More information about the nginx mailing list