nginx 0.7.64 and CVE-2009-3555 TLS / SSL renegotiation
JW
jw at mailsw.com
Sun Feb 14 08:45:55 MSK 2010
On Saturday 13 February 2010 01:03:16 am Igor Sysoev wrote:
> On Fri, Feb 12, 2010 at 05:28:15PM -0600, JW wrote:
> > I'm running nginx/0.7.64, compiled from source.
> >
> > The top of the changelog that came with the source says:
> >
> > Changes with nginx 0.7.64 16 Nov
> > 2009
> >
> > *) Security: now SSL/TLS renegotiation is disabled.
> > Thanks to Maxim Dounin.
> >
> >
> > Also http://nginx.org/en/security_advisories.html says:
> >
> > The renegotiation vulnerability in SSL protocol
> > Severity: major
> > VU#120541 CVE-2009-3555
> > Not vulnerable: 0.8.23+, 0.7.64+
> >
> >
> > I also checked against http://sysoev.ru/nginx/patch.cve-2009-3555.txt and
> > the source I have does seem to contain that patch.
> >
> >
> > However, I've had a scanning vendor tell me I'm still vulnerable to the
> > problem:
> >
> > " . . . service allows renegotiation of TLS / SSL connections."
> >
> > and references CVE-2009-3555
> >
> >
> > What can I do in order to make sure this is fixed please?
>
> Could you create nginx debug log of the scanning connections ?
I will see what I can do to accommodate that request.
JW
--
----------------------
System Administrator - Cedar Creek Software
http://www.cedarcreeksoftware.com
More information about the nginx
mailing list