https://issues.apache.org/bugzilla/show_bug.cgi?id=48210
Summary: TLS / SSL Man-In-The-Middle Renegotiation
Vulnerability
Product: Apache httpd-2
Version: 2.2.14
Platform: All
OS/Version: All
Status: NEW
Severity: blocker
Priority: P2
Component: mod_ssl
AssignedTo: [email protected]
ReportedBy: [email protected]
TLS / SSL Man-In-The-Middle Renegotiation Vulnerability
TLS and its predecessor, SSL, are cryptographic protocols that provide security
for communications over IP data networks such as the Internet. An industry-wide
vulnerability exists in the TLS protocol that could impact many products that
uses any version of TLS and SSL. The vulnerability exists in how the protocol
handles session renegotiation and exposes users to a potential
man-in-the-middle attack.
TLS 1.0 (and higher) and SSL 3.0 (and higher), does not properly associate
renegotiation handshakes with an existing connection, which allows
man-in-the-middle attackers to insert data into HTTPS sessions, and possibly
other types of sessions protected by TLS or SSL, by sending an unauthenticated
request that is processed retroactively by a server in a post-renegotiation
context, related to a "plaintext injection" attack, aka the "Project Mogul"
issue.
Affected Version and Products include, the TLS protocol 1.0, and the SSL
protocol 3.0 and possibly earlier, as used in Microsoft Internet Information
Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier,
OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security
Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
