VU#120541/CVE-2009-3555 and IMAPS/POPS with nginx
Quanah Gibson-Mount
quanah at zimbra.com
Sat Nov 21 04:15:13 MSK 2009
--On Saturday, November 21, 2009 3:51 AM +0300 Maxim Dounin
<mdounin at mdounin.ru> wrote:
> Hello!
>
>
>> nginx-0.5.37 + security patches
>> (<http://sysoev.ru/nginx/patch.cve-2009-3555.txt>, etc)
>> openssl 0.9.8l
>>
>> As I noted, it correctly hangs up HTTPS. It leaves POPS and IMAPS open.
>
> Just tested - works ok here.
>
> Are you sure you aren't used openssl 0.9.8l s_client for
> imaps/pop3s tests? It has renegotiation disabled and can't be
> used for testing ("R" only prints "RENEGOTIATING" and do nothing).
[root at perf11 ~]# /usr/bin/openssl version
OpenSSL 0.9.7a Feb 19 2003
[root at perf11 ~]# /usr/bin/openssl s_client -ssl3 -connect
perf11.lab.zimbra.com:443
CONNECTED(00000003)
[snip]
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : SSLv3
---
R
RENEGOTIATING
22917:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:529:
As you can see, HTTPS correctly hangs up.
[root at perf11 ~]# /usr/bin/openssl s_client -ssl3 -connect
perf11.lab.zimbra.com:993
CONNECTED(00000003)
[snip]
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : SSLv3
---
* OK IMAP4 ready
R
RENEGOTIATING
(hang for over 20 minutes)
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
More information about the nginx
mailing list