Quoting joshi chandran <[email protected]>:
Hi ALL,
I have Applied this patch http://cvs.openssl.org/chngview?cn=18791
on openssl 9.8k . when i have tried renegotiation , it is
disconnecting the connection .
SSL_accept:before accept initialization
TLS 1.0 Alert [length 0002], fatal handshake_failure
02 28
SSL3 alert write:fatal:handshake failure
SSL_accept:error in SSLv3 read client hello A
ERROR
344264:error:1408A13F:SSL routines:SSL3_GET_CLIENT_HELLO:no
renegotiation:s3_srvr.c:725:
shutting down SSL
CONNECTION CLOSED
ACCEPT
For the security issue CVE-2009-3555, Which all patch i need to apply
on Openssl 9.8k and openssl 9.8h so that connection gets disconnected
if renegotiation is attempted . ( As i can see in openssl 0.9.8l gets
into hang state whenever renegotiation is attempted).
I can confirm that openssl-0.9.8l doesn't handle CVE-2009-3555
satisfactorily (it hangs in a read state).
If your application is exclusively apache httpd and you're at version
2.2.14, there is also a patch to mod_ssl that will have the same
effect (break connection if client renegotiates) before we get into
openSSL. This is a bit simpler to apply (you only need to re-build a
module) and will work with any version of openSSL.
See:
http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/CVE-2009-3555-2.2.patch
Rgds,
Owen Boyle
Thanks In Advance
Joshi
On Tue, Nov 17, 2009 at 12:10 PM, joshi chandra
<[email protected]> wrote:
Hi ,
I have lot patch from cvs of Openssl which will disable all the
renegotiation and also will drop the connection if renegotiation is tried .
This is the patch from the cvs
http://cvs.openssl.org/chngview?cn=18791
http://cvs.openssl.org/chngview?cn=18794
http://cvs.openssl.org/chngview?cn=18795
As i am using this patch in older version of openssl (9.8h and 9.8k ). will
this patch disable the renegotiation and also drop the connection if
renegotiation is done .
Thanks in Advance
Joshi
Lutz Jaenicke wrote:
Boyle Owen wrote:
PPS: Although I have subscribed to this list, I am not getting the mails
(I have to keep checking the archives). Is there anyone who can check
out my account?
Hmm. If memory serves me right there was a "subscribe" message sent to
the list instead of the mailing list manager (which I then moderated
away)...
Please try again, we do have some handy form on the web page.
Best regards,
Lutz
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
--
View this message in context:
http://old.nabble.com/Test-of-disabled-renegotiation-in-0.9.8l-tp26301719p26385119.html
Sent from the OpenSSL - Dev mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
--
Regards
Joshi Chandran
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
