nginx 0.7.64 and CVE-2009-3555 TLS / SSL renegotiation
Maxim Dounin
mdounin at mdounin.ru
Sun Feb 14 14:36:56 MSK 2010
Hello!
On Sat, Feb 13, 2010 at 11:45:15PM -0600, JW wrote:
> On Friday 12 February 2010 07:10:18 pm Maxim Dounin wrote:
>
> > Test is simple: run
> >
> > openssl s_client -connect <host>:443
> >
> > and once connection is established press 'R' and hit enter to
> > trigger renegotiation.
> >
> > Without the patch renegotiation will happend and connection will
> > stay alive. And you will be able to issue normal http request after
> > (something like "GET / HTTP/1.0"). With patch connection will be
> > dropped.
>
> This is what I get:
>
> ---
> R
> RENEGOTIATING
> 21395:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
> failure:s3_pkt.c:530:
>
> So does that mean that actually the server is not vulnerable?
Yes. This means that you have patched nginx running, and it closes
connection once it detects renegotiation attempt. You aren't
vulnerable.
Maxim Dounin
More information about the nginx
mailing list