Hello!
Here is proof-of-concept patch which disables ssl renegotiation
which was recently found vulnerable to man-in-the-middle attacks.
I’ve tested it with old openssl (0.9.7e) and most recent one
(0.9.8l, with renegotiation disabled out of the box) and it
appears to work as expected.
Further testing much appreciated.
Maxim D.
Hello!
On Fri, Nov 06, 2009 at 04:22:03PM +0300, Maxim D. wrote:
Hello!
Here is proof-of-concept patch which disables ssl renegotiation
which was recently found vulnerable to man-in-the-middle attacks.I’ve tested it with old openssl (0.9.7e) and most recent one
(0.9.8l, with renegotiation disabled out of the box) and it
appears to work as expected.
Updated patch which takes care of openssl problems with disabled
renegotiation (present even in most recent 0.9.8l) and closes
connection as soon as we detect renegotiation attempt.
Further testing much appreciated.
Still applies.
Some notes:
Patch is for 0.8.22, but it applies to 0.7.63 cleanly;
If you see “[alert] … unexpected SSL renegotiation” in logs
and it appears to happen on legitimate use - please report.
Patch disables all renegotiations out there, including ones
with backends. This may hurt setups with backends requesting for
client certs via renegotiation (e.g. apache known to be able to do
so when configured). AFAIK currently there is no way to fix such
setups to make them secure.
Maxim D.
Hello!
On Sat, Nov 07, 2009 at 06:23:15PM +0300, Maxim D. wrote:
renegotiation (present even in most recent 0.9.8l) and closes
2. If you see “[alert] … unexpected SSL renegotiation” in logs
and it appears to happen on legitimate use - please report.
- Patch disables all renegotiations out there, including ones
with backends. This may hurt setups with backends requesting for
client certs via renegotiation (e.g. apache known to be able to do
so when configured). AFAIK currently there is no way to fix such
setups to make them secure.
Updated patch. It disables renegotiation only for server
connections (ones accepted by nginx). This will preserve
configurations mentioned in (3) as there is no reason to broke
them (nginx doesn’t check backend certificates anyway).
Maxim D.
Hello!
On Mon, Nov 09, 2009 at 04:49:54AM +0300, Maxim D. wrote:
(0.9.8l, with renegotiation disabled out of the box) and it
Some notes:
setups to make them secure.Updated patch. It disables renegotiation only for server
connections (ones accepted by nginx). This will preserve
configurations mentioned in (3) as there is no reason to broke
them (nginx doesn’t check backend certificates anyway).
Updated patch. Fixes null pointer dereference for SSLv2
connections.
Maxim D.
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs