Sandeep, Well that seems to be what's causing the confusion. On both the IIS6 server which was patched with MS's workaround as well as a an apache server that is vulnerable, it states them as NOT supported. It says that even though actually trying to renegotiate gives two different results (renegotiates insecurely on apache, errors and closes connection on IIS6). Trying this on non-vulnerable version of appache it states that Secure Renegotiation IS supported (event thought it errors and closes the connection when actually trying to renegotiate just like the IIS6 server).
As Steve said, when doing a -tlsextdebug on the secure apache server I receive: TLS server extension "renegotiate" (id=65281), len=1 0001 - <SPACES/NULS> I don't receive that on the secure IIS6 (or the insecure apache server). So this basically seems to be a MS problem and is probably part of the reason why they call it a workaround instead of an actual fix. Eric Kinolik [email protected] On 06/20/2010 11:55 PM, sandeep kiran p wrote: > Steve, > > > The trace clearly says that the server does not support Secure > Renegotiation. > > > <SNIP> > > New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA > Server public key is 1024 bit > *Secure Renegotiation IS NOT supported* > Compression: NONE > > <SNIP> > > > Are we missing anything? > > > -Sandeep > > On Thu, Jun 17, 2010 at 12:30 PM, Stephen Henson via RT <[email protected] > <mailto:[email protected]>> wrote: > > > [[email protected] <mailto:[email protected]> - > Thu Jun 17 20:59:31 2010]: > > > > > When running SSL_get_secure_renegotiation_support() with > > 0.9.8n/0.9.8o/1.0.0a against an IIS6 server (win2003 i believe) which > > was patched with KB977377 the function returns that renegotiation is > > supported even though it's not. > > ( http://support.microsoft.com/kb/977377 ) > > > > The actual function is saying the server sent back an extension saying > it supported secure renegotiation. That means it is safe to attempt to > renegotiate with the server it does not guarantee that the server will > actually accept a renegotiation attempt. > > I'd suggest you include the -tlsextdebug option to s_client and see if > you get the RI extension back from the server. > > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > Development Mailing List > [email protected] <mailto:[email protected]> > Automated List Manager > [email protected] <mailto:[email protected]> > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
