Re: handling request splicing in case of server initiated renegotiation CVE-2009-3555

On Mon, Nov 16, 2009 at 09:59:12PM +0100, Hartmut Keil wrote: > With the change described in > https://issues.apache.org/bugzilla/show_bug.cgi?id=48204 > the buffer used in ssl_io_input_read(..) will be reset, and so the second > request of > the MITM will be dropped. > The first request will be

Re: svn commit: r880981 - /httpd/httpd/trunk/build/instdso.sh

On Mon, Nov 16, 2009 at 4:51 PM, wrote: > Author: trawick > Date: Mon Nov 16 21:51:01 2009 > New Revision: 880981 > > URL: http://svn.apache.org/viewvc?rev=880981&view=rev > Log: > tweak r823613/PR 47951 change to avoid /usr/sbin/install on > Solaris > > (not compatible with BSD install) > > Modi

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

On 16.11.2009 20:21, Jean-Marc Desperrier wrote: > Jean-Marc Desperrier wrote: > An interesting point is that firefox is *not* reusing the ssl session in > that case, for some reason it sends a SessionID of 0 after the "Hello > Request" from the server. I'll forward that to the NSS team, because if

Re: mod_fcgid: different instances of the same program

On 16.11.2009 13:14, Jeff Trawick wrote: > On Mon, Nov 16, 2009 at 5:03 AM, Danny Sadinoff wrote: >> On Tue, Nov 10, 2009 at 1:47 AM, Danny Sadinoff wrote: >>> >>> On Tue, Nov 10, 2009 at 12:53 AM, Jeff Trawick wrote: On Mon, Nov 9, 2009 at 5:16 PM, Danny Sadinoff wrote: > 2)

handling request splicing in case of server initiated renegotiation CVE-2009-3555

Hi everybody for clarification of https://issues.apache.org/bugzilla/show_bug.cgi?id=48204 a more detailed explanation of the described attack scenario is given here. With the patch CVE-2009-3555-2.2.patch client initiated renegotiation has been disabled, as a consequence of CVE-2009-3555. But

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

On Mon, Nov 16, 2009 at 08:21:20PM +0100, Jean-Marc Desperrier wrote: > Ok, so in fact I have one apache instance available locally with a > problem of this kind. It's configured to not require client > authentication by defaut, but to require it on the /authentication url > > So what happens t

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

On Mon 16 Nov 2009, Jean-Marc Desperrier wrote: > Here's the wireshark captured exchange between the client and server, > note that "Hello Request" always *immediatly* follows the end of the > renegotiation. This is with Apache 2.2.11/Openssl 0.9.8i (not a > > production server) : > > 217   19:30:5

intend to roll next alpha on 24th

I'll try to do another 2.3.x on next Tuesday, the 24th. We can vote on it over thanksgiving :-) Thanks, Paul

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

Jean-Marc Desperrier wrote: Everyone who uses client certificate authentication knows that they are many apache configurations around that will force the user to repeatedly reauthenticate himself for apparently no good reason. It's hard to believe the explanation is only that all of the concerne

I'm stuck with an OS X module problem and -mmacosx-version-min=10.5

Hi All, Here's my problem - I have an apache module that has been happily running on Mac Leopard for quite a while. I installed snow leopard recently. If I build it on the SL host, it works fine there too. Of course, the SL binary will not run on 10.5 - I get linker errors when apache loads it. T

Re: A fundamentally secure Apache server, any interest?

On Mon, Nov 16, 2009 at 5:11 PM, Sander Temme wrote: > Hi Kevin, > > Definitely not the right list: this is where we discuss development of the > Apache HTTP Server code.  us...@httpd.apache.org may be a better forum within > apache.org.  Outside Apache, several initiatives exist to look into ha

Re: A fundamentally secure Apache server, any interest?

Hi Kevin, Definitely not the right list: this is where we discuss development of the Apache HTTP Server code. us...@httpd.apache.org may be a better forum within apache.org. Outside Apache, several initiatives exist to look into hardening web servers. The Center for Internet Security

Re: Server Gated Certs (Was: TLS renegotiation attack, mod_ssl and OpenSSL)

On Fri, Nov 06, 2009 at 02:00:47AM +, Dirk-Willem van Gulik wrote: > What we really need is 1) a pub/priv key pair of such a cert* (or use > attached CSR) of some random domain (ideally expired and with a totally > bogus CN valye so we can post the private key publicly) and 2) obviously >

Re: mod_fcgid: different instances of the same program

> On Mon, Nov 9, 2009 at 5:16 PM, Danny Sadinoff > wrote: > 2) Virtual hosts > The above item holds true even across virtual hosts.   So while > it's possible to adjust the FcgidInitialEnv items on a per-vhost > basis, this is a recipe for disaster if two vhosts point at the same > fcgi executable

Re: one remaining mpms-shared quirk

On Sun, Nov 15, 2009 at 5:09 PM, Jeff Trawick wrote: > On Sat, Nov 14, 2009 at 8:10 PM, William A. Rowe Jr. > wrote: >> ./configure with both --with-mpm=worker --enable-mpms-shared provides a >> really >> odd result; >> >> checking which MPM to use by default... worker >> ../httpd-2.x/configure:

Re: A fundamentally secure Apache server, any interest?

On Mon, 2009-11-16 at 08:42 -0500, Sweere, Kevin E CTR USAF AFRL/RYT wrote: > Greetings, > > I work for the US Air Force. We have a prototype that dramatically, > fundamentally increases a web server's security. > > We run an Apache server within a minimized, user-level-only, Linux variant >

Re: A fundamentally secure Apache server, any interest?

I support you! 2009/11/16 Sweere, Kevin E CTR USAF AFRL/RYT > Greetings, > > I work for the US Air Force. We have a prototype that dramatically, > fundamentally increases a web server's security. > > We run an Apache server within a minimized, user-level-only, Linux variant > only within RAM an

Re: balancer-manager and server-status feature request.

On Nov 16, 2009, at 5:52 AM, Mladen Turk wrote: > Regarding xml data, it is my long standing wish to create > log output filter sub module system where the log lines would > go trough a VFS filter capable of writing to xml, database, etc > (depending on the VFS implementation). > *grin* I'd be

A fundamentally secure Apache server, any interest?

Greetings,   I work for the US Air Force.  We have a prototype that dramatically, fundamentally increases a web server's security.    We run an Apache server within a minimized, user-level-only, Linux variant only within RAM and from only a DVD (no harddrive).  With no shells, hackers have nowhere

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

Stefan Fritsch wrote: On Tuesday 10 November 2009, Jean-Marc Desperrier wrote: [ Apache + openssl 0.9.8l = TLS renegotiation fully disabled ] First there's the short SSLSessionCacheTimeout problem : https://issues.apache.org/bugzilla/show_bug.cgi?id=39243#c23 [...] If they actually are renegotia

Re: mod_fcgid: different instances of the same program

On Mon, Nov 16, 2009 at 5:03 AM, Danny Sadinoff wrote: > On Tue, Nov 10, 2009 at 1:47 AM, Danny Sadinoff wrote: >> >> On Tue, Nov 10, 2009 at 12:53 AM, Jeff Trawick wrote: >> > >> > On Mon, Nov 9, 2009 at 5:16 PM, Danny Sadinoff >> > wrote: >> > > 2) Virtual hosts >> > > The above item holds tr

Re: mod_rewrite and mod_fcgid pass wrong fcgi request

On Mon, Nov 16, 2009 at 1:04 AM, Felipe Alcacibar wrote: > ... >> When comparing modes of PHP execution: >> >> - CGI and FastCGI are directly comparable because the information that >> Apache needs to pass to PHP is the same.  (In fact, mod_cgi[d] and >> mod_fcgid use the same core Apache code to

mod_proxy_fcgi changes SCRIPT_FILENAME?

I am trying to use apache-2.3's mod_proxy_fcgi in 2.2.13. It seems to be built and run all right. But I have noticed that the SCRIPT_FILENAME has been changed to "proxy:balancer://xx", it cann't be recognized by the remote PHP backend. So the request failed. In my opinion, the remote PHP back

Re: balancer-manager and server-status feature request.

On 16/11/09 11:33, Mark Watts wrote: The statistics one gets from both /balancer-manager and mod_status are useful but of course only exist until httpd is restarted. It would be nice if they could be configured to periodically write some lines to the error log (at LogLevel info or so) with thes

balancer-manager and server-status feature request.

The statistics one gets from both /balancer-manager and mod_status are useful but of course only exist until httpd is restarted. It would be nice if they could be configured to periodically write some lines to the error log (at LogLevel info or so) with these statistics so the data can be preserv

Re: mod_fcgid: different instances of the same program

On Tue, Nov 10, 2009 at 1:47 AM, Danny Sadinoff wrote: > On Tue, Nov 10, 2009 at 12:53 AM, Jeff Trawick wrote: > > > > On Mon, Nov 9, 2009 at 5:16 PM, Danny Sadinoff > wrote: > > > 2) Virtual hosts > > > The above item holds true even across virtual hosts. So while > > > it's possible to adju