nginx 0.7.64 and CVE-2009-3555 TLS / SSL renegotiation
Igor Sysoev
igor at sysoev.ru
Sat Feb 13 10:03:16 MSK 2010
On Fri, Feb 12, 2010 at 05:28:15PM -0600, JW wrote:
> I'm running nginx/0.7.64, compiled from source.
>
> The top of the changelog that came with the source says:
>
> Changes with nginx 0.7.64 16 Nov 2009
>
> *) Security: now SSL/TLS renegotiation is disabled.
> Thanks to Maxim Dounin.
>
>
> Also http://nginx.org/en/security_advisories.html says:
>
> The renegotiation vulnerability in SSL protocol
> Severity: major
> VU#120541 CVE-2009-3555
> Not vulnerable: 0.8.23+, 0.7.64+
>
>
> I also checked against http://sysoev.ru/nginx/patch.cve-2009-3555.txt and the
> source I have does seem to contain that patch.
>
>
> However, I've had a scanning vendor tell me I'm still vulnerable to the
> problem:
>
> " . . . service allows renegotiation of TLS / SSL connections."
>
> and references CVE-2009-3555
>
>
> What can I do in order to make sure this is fixed please?
Could you create nginx debug log of the scanning connections ?
--
Igor Sysoev
http://sysoev.ru/en/
More information about the nginx
mailing list