I don't see anything wrong with MS's behavior. As per the MS Security Advisory, they have completely disabled renegotiations as a workaround and thats why you still see NOT supported with patched IIS6 servers. Only when they decide to support the RI extension (http://tools.ietf.org/html/rfc5746) would you see IS Supported in the trace.
-Sandeep On Mon, Jun 21, 2010 at 1:28 PM, Eric Kinolik <[email protected]>wrote: > Sandeep, > Well that seems to be what's causing the confusion. On both the IIS6 > server which was patched with MS's workaround as well as a an apache > server that is vulnerable, it states them as NOT supported. It says > that even though actually trying to renegotiate gives two different > results (renegotiates insecurely on apache, errors and closes connection > on IIS6). Trying this on non-vulnerable version of appache it states > that Secure Renegotiation IS supported (event thought it errors and > closes the connection when actually trying to renegotiate just like the > IIS6 server). > > As Steve said, when doing a -tlsextdebug on the secure apache server I > receive: > TLS server extension "renegotiate" (id=65281), len=1 > 0001 - <SPACES/NULS> > I don't receive that on the secure IIS6 (or the insecure apache server). > So this basically seems to be a MS problem and is probably part of the > reason why they call it a workaround instead of an actual fix. > > Eric Kinolik > [email protected] > > On 06/20/2010 11:55 PM, sandeep kiran p wrote: > > Steve, > > > > > > The trace clearly says that the server does not support Secure > > Renegotiation. > > > > > > <SNIP> > > > > New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA > > Server public key is 1024 bit > > *Secure Renegotiation IS NOT supported* > > Compression: NONE > > > > <SNIP> > > > > > > Are we missing anything? > > > > > > -Sandeep > > > > On Thu, Jun 17, 2010 at 12:30 PM, Stephen Henson via RT <[email protected] > > <mailto:[email protected]>> wrote: > > > > > [[email protected] <mailto:[email protected]> - > > Thu Jun 17 20:59:31 2010]: > > > > > > > > When running SSL_get_secure_renegotiation_support() with > > > 0.9.8n/0.9.8o/1.0.0a against an IIS6 server (win2003 i believe) > which > > > was patched with KB977377 the function returns that renegotiation > is > > > supported even though it's not. > > > ( http://support.microsoft.com/kb/977377 ) > > > > > > > The actual function is saying the server sent back an extension > saying > > it supported secure renegotiation. That means it is safe to attempt > to > > renegotiate with the server it does not guarantee that the server > will > > actually accept a renegotiation attempt. > > > > I'd suggest you include the -tlsextdebug option to s_client and see > if > > you get the RI extension back from the server. > > > > > > Steve. > > -- > > Dr Stephen N. Henson. OpenSSL project core developer. > > Commercial tech support now available see: http://www.openssl.org > > > > > ______________________________________________________________________ > > > > OpenSSL Project > http://www.openssl.org > > Development Mailing List > > [email protected] <mailto:[email protected]> > > Automated List Manager > > [email protected] <mailto:[email protected]> > > > > >
