TLS Renegotiation
am 08.04.2010 15:24:31 von Vorazzo Manuela
--_000_807071E8147C5448BBC98BC4E9525A596EFDD9EB40CSEXMB00off ic_
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Hello everyone.
I've an apache 2.2.11 up and running in a linux suse 1=
0 environment and openssl 0.9.6.g version.
After a network scan =
they've found that I have to disable TLS Renegotiation support in my server=
.
=0AI've seen that I can do this with SSLInsecureRenegotiation off dir=
ective in my configuration file but this is available with apache 2.2.15.=0D=
=0AI found this on the web:
*) SECURITY: CVE-2009-3555 (cve.mitr=
e.org)
mod=5Fssl: Comprehensive fix of the TLS renegotiatio=
n prefix injection
attack when compiled against OpenSSL ver=
sion 0.9.8m or later. Introduces
the 'SSLInsecureRenegotiat=
ion' directive to reopen this vulnerability
and offer unsaf=
e legacy renegotiation with clients which do not yet
suppor=
t the new secure renegotiation protocol, RFC 5746.
[Joe Ort=
on, and with thanks to the OpenSSL Team]
Is there some workaroun=
d to do this without upgrade my apache version???
=0AI mean some mo=
d=5Fssl configuration directives that I can set for bypass the problem/vuln=
erability???
=0AThanks in advance.
Greetings
=0D=
=0AVorazzo Manuela
*******************Internet Email Confidentiality F=
ooter*******************
=0AQualsiasi utilizzo non autorizzato del pre=
sente messaggio nonché dei suoi allegati è vietato e potrebbe cos=
tituire reato. Se ha ricevuto per errore il presente messaggio, Le saremmo =
grati se ci inviasse, via e-mail, una comunicazione al riguardo e provvedes=
se nel contempo alla distruzione del messaggio stesso e dei suoi eventuali =
allegati. Le dichiarazioni contenute nel presente messaggio nonche' nei suo=
i eventuali allegati devono essere attribuite al mittente e non possono ess=
ere necessariamente considerate come autorizzate da SIA-SSB S.p.A.; le mede=
sime dichiarazioni non impegnano SIA-SSB S.p.A. nei confronti del destinata=
rio o di terzi. SIA-SSB S.p.A. non si assume alcuna responsabilita' per eve=
ntuali intercettazioni, modifiche o danneggiamenti del presente messaggio e=
-mail.
=0AAny unauthorized use of this e-mail or any of its attachment=
s is prohibited and could constitute an offence. If you are not the intende=
d addressee please advise immediately the sender by using the reply facilit=
y in your e-mail software and destroy the message and its attachments. The =
statements and opinions expressed in this e-mail message are those of the a=
uthor of the message and do not necessarily represent those of SIA-SSB S.p.=
A. Besides, The contents of this message shall be understood as neither giv=
en nor endorsed by SIA-SSB S.p.A.. SIA-SSB S.p.A. does not accept liability=
for corruption, interception or amendment, if any, or the consequences the=
reof.
--_000_807071E8147C5448BBC98BC4E9525A596EFDD9EB40CSEXMB00off ic_
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
hemas-microsoft-com:office:word" xmlns=3D"http://www.w3.org/TR/REC-html40">=0D=
=0A
charset=3Dus-ascii">
11 (filtered medium)">
IT link=3Dblue vlink=3Dpurple>
=
'font-size:
10.0pt;font-family:Arial'>Hello everyone.
>
pan lang=3DEN-GB style=3D'font-size:
10.0pt;font-family:Arial'>I’=
;ve an apache 2.2.11 up and running in a linux
suse 10 environment and=
openssl 0.9.6.g version.
MsoNormal>
:
10.0pt;font-family:Arial'>
=0D=
=0A
Arial>=
After a network scan they’ve
found that I have to =
0pt;font-family:ArialMT'>disable TLS Renegotiation support
in my se=
rver.
'text-autospace:none'>
style=3D'font-size:10.0pt;font-family:ArialMT'>I’ve seen that I
=
can do this with
r New">SSLInsecureRenegotia=
tion off
=3DEN-GB style=3D'font-size:10.0pt;font-family:ArialMT'>directive=0D= 0Ain m=
y configuration file but this is available with apache 2.2.15.
span>
ne'>
e:10.0pt;font-family:ArialMT'>I found this on the
web:
n>
g=3DEN-GB style=3D'font-size:10.0pt'>*) SECURITY: CVE-2009-3555 (cve.mitre.=
org)
New"> =
; mod=5Fssl: Comprehensive fix of the TLS renegotiation prefix injection
p>
<=
span lang=3DEN-GB style=3D'font-size:10.0pt'> attac=
k when compiled against OpenSSL version 0.9.8m or later. Introduces
:p>
lang=3DEN-GB style=3D'font-size:10.0pt'> the 'SSLIn=
secureRenegotiation' directive to reopen this vulnerability
n>
N-GB style=3D'font-size:10.0pt'> and offer unsafe l=
egacy renegotiation with clients which do not yet<=
/pre>
=3D'font-size:10.0pt'> support the new secure reneg=
otiation protocol, RFC 5746.
size=3D2 face=3D"Courier New">
> [Joe Orton, and with thanks to the OpenSSL Team]<=
o:p>
t-autospace:none'>
le=3D'font-size:10.0pt;font-family:ArialMT'> =
ze=3D2 face=3DArialMT>
t-family:ArialMT'>Is there some
workaround to do this without upgrade =
my apache version??=3F
=3DMsoNormal style=3D'text-autospace:none'>
pan
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:ArialMT'>I mean=
some mod=5Fssl configuration
directives that I can set for bypass the=
problem/vulnerability??=3F
class=3DMsoNormal style=3D'text-autospace:none'>
MT><=
o:p>
'text-autospace:none'>
style=3D'font-size:10.0pt;font-family:ArialMT'>
ont>
lang=3DEN-GB style=3D'font-size:
10.0pt;font-family:Arial'>Thanks in a=
dvance.
size=3D2 face=3DArial>
nt-family:Arial'>Greetings
=3DMsoNormal>
ize:
10.0pt;font-family:Arial'>
=0D=
=0A
e=3D'font-size:
10.0pt;font-family:Arial'>Vorazzo Manuela
span>
*******************Internet Email&=
nbsp;Confidentiality Footer*******************
Qualsias=
i utilizzo non autorizzato del presente messa=
ggio nonché dei suoi allegati è vie=
tato e potrebbe costituire reato. Se ha =
ricevuto per errore il presente messaggio, Le=
saremmo grati se ci inviasse, via e-mai=
l, una comunicazione al riguardo e provvedess=
e nel contempo alla distruzione del messaggio=
stesso e dei suoi eventuali allegati. L=
e dichiarazioni contenute nel presente messaggio&n=
bsp;nonche' nei suoi eventuali allegati devono=
essere attribuite al mittente e non pos=
sono essere necessariamente considerate come autor=
izzate da SIA-SSB S.p.A.; le medesime dichiar=
azioni non impegnano SIA-SSB S.p.A. nei confr=
onti del destinatario o di terzi. SIA-SSB&nbs=
p;S.p.A. non si assume alcuna responsabilita'&=
nbsp;per eventuali intercettazioni, modifiche o da=
nneggiamenti del presente messaggio e-mail.
=0D=
=0AAny unauthorized use of this e-mail or&nbs=
p;any of its attachments is prohibited and&nb=
sp;could constitute an offence. If you are&nb=
sp;not the intended addressee please advise i=
mmediately the sender by using the reply =
;facility in your e-mail software and destroy=
the message and its attachments. The st=
atements and opinions expressed in this e-mai=
l message are those of the author of&nbs=
p;the message and do not necessarily represen=
t those of SIA-SSB S.p.A. Besides, The c=
ontents of this message shall be understood&n=
bsp;as neither given nor endorsed by SIA-SSB&=
nbsp;S.p.A.. SIA-SSB S.p.A. does not accept l=
iability for corruption, interception or amendment=
, if any, or the consequences thereof.
=0D=
=0A |
Re: TLS Renegotiation
am 08.04.2010 15:39:18 von Eric Covener
On Thu, Apr 8, 2010 at 9:24 AM, Vorazzo Manuela
wrote:
> *) SECURITY: CVE-2009-3555 (cve.mitre.org)
> Is there some workaround to do this without upgrade my apache version???
>
> I mean some mod_ssl configuration directives that I can set for bypass the problem/vulnerability???
No, you'd minimally need a new openssl (that blocks insecure
renegotiation by default).
--
Eric Covener
covener@gmail.com
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org