nginx 0.7.64 and CVE-2009-3555 TLS / SSL renegotiation
JW
jw at mailsw.com
Sun Feb 14 08:45:15 MSK 2010
On Friday 12 February 2010 07:10:18 pm Maxim Dounin wrote:
> Test is simple: run
>
> openssl s_client -connect <host>:443
>
> and once connection is established press 'R' and hit enter to
> trigger renegotiation.
>
> Without the patch renegotiation will happend and connection will
> stay alive. And you will be able to issue normal http request after
> (something like "GET / HTTP/1.0"). With patch connection will be
> dropped.
This is what I get:
---
R
RENEGOTIATING
21395:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:530:
So does that mean that actually the server is not vulnerable?
> Note well:
>
> 1. You need openssl <= 0.9.8k (unpatched one, not 'l'!) on
> client to test it, as in 0.9.8l renegotiation is completely broken
> by default and connection will just hang.
Got it on client.
> 2. With openssl 0.9.8l on server connection will hang, too. This
> means that you aren't vulnerable, but it's not easy to distinguish
> this case from the case with 0.9.8l on client (which just doesn't
> allow you to test).
Server has an older version
> 3. First of all you should patch openssl, not nginx. Once you'll
> patch openssl on your system all programs which use it will be
> safe, not just nginx.
Unfortunately our OS vendor has not yet released a patch for openssl.
JW
--
----------------------
System Administrator - Cedar Creek Software
http://www.cedarcreeksoftware.com
More information about the nginx
mailing list