Hi , I need to patch OpenSSL with renegotiation disable fix.
I was wondering which all patch i should use to resolve renegotiation problem Presently I have used the patch mention in the "http://cvs.openssl.org/chngview?cn=18791"; in OpenSSL 9.8k and OpenSSL 9.8h . This patch disconnect the connection if renegotiation from client is attempted. Should I need to use this patch over OpenSSL 9.8h and Openssl 9.8k to resolve this problem. http://cvs.openssl.org/chngview?cn=18794 http://cvs.openssl.org/chngview?cn=18795 Can any one of Openssl Team can confirm on it as Many customer is waiting for this fix . Thanks In Advance Joshi On Wed, Nov 18, 2009 at 1:45 PM, <[email protected]> wrote: > Quoting joshi chandran <[email protected]>: > >> Hi ALL, >> >> I have Applied this patch http://cvs.openssl.org/chngview?cn=18791 >> on openssl 9.8k . when i have tried renegotiation , it is >> disconnecting the connection . >> >> SSL_accept:before accept initialization >>>>> >>>>> TLS 1.0 Alert [length 0002], fatal handshake_failure >> >> 02 28 >> SSL3 alert write:fatal:handshake failure >> SSL_accept:error in SSLv3 read client hello A >> ERROR >> 344264:error:1408A13F:SSL routines:SSL3_GET_CLIENT_HELLO:no >> renegotiation:s3_srvr.c:725: >> shutting down SSL >> CONNECTION CLOSED >> ACCEPT >> >> For the security issue CVE-2009-3555, Which all patch i need to apply >> on Openssl 9.8k and openssl 9.8h so that connection gets disconnected >> if renegotiation is attempted . ( As i can see in openssl 0.9.8l gets >> into hang state whenever renegotiation is attempted). > > I can confirm that openssl-0.9.8l doesn't handle CVE-2009-3555 > satisfactorily (it hangs in a read state). > > If your application is exclusively apache httpd and you're at version > 2.2.14, there is also a patch to mod_ssl that will have the same effect > (break connection if client renegotiates) before we get into openSSL. This > is a bit simpler to apply (you only need to re-build a module) and will work > with any version of openSSL. > > See: > http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/CVE-2009-3555-2.2.patch > > Rgds, > Owen Boyle > >> >> Thanks In Advance >> >> Joshi >> >> On Tue, Nov 17, 2009 at 12:10 PM, joshi chandra >> <[email protected]> wrote: >>> >>> Hi , >>> >>> I have lot patch from cvs of Openssl which will disable all the >>> renegotiation and also will drop the connection if renegotiation is tried >>> . >>> >>> This is the patch from the cvs >>> http://cvs.openssl.org/chngview?cn=18791 >>> http://cvs.openssl.org/chngview?cn=18794 >>> http://cvs.openssl.org/chngview?cn=18795 >>> >>> As i am using this patch in older version of openssl (9.8h and 9.8k ). >>> will >>> this patch disable the renegotiation and also drop the connection if >>> renegotiation is done . >>> >>> Thanks in Advance >>> >>> Joshi >>> >>> >>> Lutz Jaenicke wrote: >>>> >>>> Boyle Owen wrote: >>>>> >>>>> PPS: Although I have subscribed to this list, I am not getting the >>>>> mails >>>>> (I have to keep checking the archives). Is there anyone who can check >>>>> out my account? >>>>> >>>> >>>> Hmm. If memory serves me right there was a "subscribe" message sent to >>>> the list instead of the mailing list manager (which I then moderated >>>> away)... >>>> Please try again, we do have some handy form on the web page. >>>> >>>> Best regards, >>>> Lutz >>>> ______________________________________________________________________ >>>> OpenSSL Project http://www.openssl.org >>>> Development Mailing List [email protected] >>>> Automated List Manager [email protected] >>>> >>>> >>> >>> -- >>> View this message in context: >>> http://old.nabble.com/Test-of-disabled-renegotiation-in-0.9.8l-tp26301719p26385119.html >>> Sent from the OpenSSL - Dev mailing list archive at Nabble.com. >>> >>> ______________________________________________________________________ >>> OpenSSL Project http://www.openssl.org >>> Development Mailing List [email protected] >>> Automated List Manager [email protected] >>> >> >> >> >> -- >> Regards >> Joshi Chandran >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> Development Mailing List [email protected] >> Automated List Manager [email protected] >> > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [email protected] > Automated List Manager [email protected] > -- Regards Joshi Chandran ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
