https://issues.apache.org/bugzilla/show_bug.cgi?id=48866
Summary: Clarification regarding CVE-2009-3555
Product: Apache httpd-2
Version: 2.2.14
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
AssignedTo: [email protected]
ReportedBy: [email protected]
Per CVE-2009-3555
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555), mod_ssl (among
many products that use SSL/TLS) is vulnerable to a MITM attack during SSL/TLS
renegotiation. The CVE and various advisories posted online are not very clear
on the scope of this vulnerability. The CVE seems to suggest that the
vulnerability manifests itself only when client cert authentication is used.
However, other advisories suggest that this could happen even when client cert
authentication is not involved, if the client or server requests a
re-negotiate.
My first question is: Are Apache web servers 2.2.x with mod_ssl vulnerable to
this issue if client certificate authetication is not used.
My second question is: 2.2 documentation refers to a new mod_ssl directive
called SSLInsecureRenegotiation:
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation. The
document mentions that this is only supported in 2.2.15 but I have not seen
2.2.15 being released. When would it be released?
Thanks
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
