This is regarding Security Vulnerability issue CVE-2009-3555.( does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions ).
To Deal with this issue , workaround was added by Ben Laurie which disables all renegotiation, so it will break all uses where renegotiation is required and used. (link : https://bugzilla.redhat.com/show_bug.cgi?id=533125 , comment #2). This is the patch which will disable the renegotiation http://cvs.openssl.org/chngview?cn=18791 http://cvs.openssl.org/chngview?cn=18794 The comment of this patch is "Use existing code to disable renegotiation. Die if we see a client hello." and "Disable renegotiation" .so this probably means it drop the connection if renegotiation is attempted from client. Joshi On Thu, Nov 19, 2009 at 12:06 AM, Kyle Hamilton <[email protected]> wrote: > Er, *why* are you dropping the connection when renegotiation is tried? > The appropriate response, per RFC, if you don't want to renegotiate > is to send a warning "no_renegotiation" alert. > > -Kyle H > > On Mon, Nov 16, 2009 at 10:40 PM, joshi chandra > <[email protected]> wrote: >> >> Hi , >> >> I have lot patch from cvs of Openssl which will disable all the >> renegotiation and also will drop the connection if renegotiation is tried . >> >> This is the patch from the cvs >> http://cvs.openssl.org/chngview?cn=18791 >> http://cvs.openssl.org/chngview?cn=18794 >> http://cvs.openssl.org/chngview?cn=18795 >> >> As i am using this patch in older version of openssl (9.8h and 9.8k ). will >> this patch disable the renegotiation and also drop the connection if >> renegotiation is done . >> >> Thanks in Advance >> >> Joshi >> >> >> Lutz Jaenicke wrote: >>> >>> Boyle Owen wrote: >>>> PPS: Although I have subscribed to this list, I am not getting the mails >>>> (I have to keep checking the archives). Is there anyone who can check >>>> out my account? >>>> >>> >>> Hmm. If memory serves me right there was a "subscribe" message sent to >>> the list instead of the mailing list manager (which I then moderated >>> away)... >>> Please try again, we do have some handy form on the web page. >>> >>> Best regards, >>> Lutz >>> ______________________________________________________________________ >>> OpenSSL Project http://www.openssl.org >>> Development Mailing List [email protected] >>> Automated List Manager [email protected] >>> >>> >> >> -- >> View this message in context: >> http://old.nabble.com/Test-of-disabled-renegotiation-in-0.9.8l-tp26301719p26385119.html >> Sent from the OpenSSL - Dev mailing list archive at Nabble.com. >> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> Development Mailing List [email protected] >> Automated List Manager [email protected] >> > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [email protected] > Automated List Manager [email protected] > -- Regards Joshi Chandran ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
