nginx 0.7.64 and CVE-2009-3555 TLS / SSL renegotiation

JW jw at mailsw.com
Sun Feb 14 08:45:15 MSK 2010


On Friday 12 February 2010 07:10:18 pm Maxim Dounin wrote:

> Test is simple: run
>
> openssl s_client -connect <host>:443
>
> and once connection is established press 'R' and hit enter to
> trigger renegotiation.
>
> Without the patch renegotiation will happend and connection will
> stay alive.  And you will be able to issue normal http request after
> (something like "GET / HTTP/1.0").  With patch connection will be
> dropped.

This is what I get:

---
R
RENEGOTIATING
21395:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake 
failure:s3_pkt.c:530:

So does that mean that actually the server is not vulnerable?


> Note well:
>
> 1. You need openssl <= 0.9.8k (unpatched one, not 'l'!) on
> client to test it, as in 0.9.8l renegotiation is completely broken
> by default and connection will just hang.

Got it on client.

> 2. With openssl 0.9.8l on server connection will hang, too.  This
> means that you aren't vulnerable, but it's not easy to distinguish
> this case from the case with 0.9.8l on client (which just doesn't
> allow you to test).

Server has an older version

> 3. First of all you should patch openssl, not nginx.  Once you'll
> patch openssl on your system all programs which use it will be
> safe, not just nginx.

Unfortunately our OS vendor has not yet released a patch for openssl.

	JW

-- 

----------------------
System Administrator - Cedar Creek Software
http://www.cedarcreeksoftware.com



More information about the nginx mailing list