[users@httpd] TLS Renegotiation

Thu, 08 Apr 2010 06:25:05 -0700 

Hello everyone.
I've an apache 2.2.11 up and running in a linux suse 10 environment and openssl 
0.9.6.g version.

After a network scan they've found that I have to disable TLS Renegotiation 
support in my server.
I've seen that I can do this with SSLInsecureRenegotiation off directive in my 
configuration file but this is available with apache 2.2.15.
I found this on the web:

*) SECURITY: CVE-2009-3555 (cve.mitre.org)

     mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection

     attack when compiled against OpenSSL version 0.9.8m or later. Introduces

     the 'SSLInsecureRenegotiation' directive to reopen this vulnerability

     and offer unsafe legacy renegotiation with clients which do not yet

     support the new secure renegotiation protocol, RFC 5746.

     [Joe Orton, and with thanks to the OpenSSL Team]

Is there some workaround to do this without upgrade my apache version???
I mean some mod_ssl configuration directives that I can set for bypass the 
problem/vulnerability???


Thanks in advance.
Greetings

Vorazzo Manuela
*******************Internet Email Confidentiality Footer******************* 
Qualsiasi utilizzo non autorizzato del presente messaggio nonché dei suoi 
allegati è vietato e potrebbe costituire reato. Se ha ricevuto per errore il 
presente messaggio, Le saremmo grati se ci inviasse, via e-mail, una 
comunicazione al riguardo e provvedesse nel contempo alla distruzione del 
messaggio stesso e dei suoi eventuali allegati. Le dichiarazioni contenute nel 
presente messaggio nonche' nei suoi eventuali allegati devono essere attribuite 
al mittente e non possono essere necessariamente considerate come autorizzate 
da SIA-SSB S.p.A.; le medesime dichiarazioni non impegnano SIA-SSB S.p.A. nei 
confronti del destinatario o di terzi. SIA-SSB S.p.A. non si assume alcuna 
responsabilita' per eventuali intercettazioni, modifiche o danneggiamenti del 
presente messaggio e-mail. 
Any unauthorized use of this e-mail or any of its attachments is prohibited and 
could constitute an offence. If you are not the intended addressee please 
advise immediately the sender by using the reply facility in your e-mail 
software and destroy the message and its attachments. The statements and 
opinions expressed in this e-mail message are those of the author of the 
message and do not necessarily represent those of SIA-SSB S.p.A. Besides, The 
contents of this message shall be understood as neither given nor endorsed by 
SIA-SSB S.p.A.. SIA-SSB S.p.A. does not accept liability for corruption, 
interception or amendment, if any, or the consequences thereof.

Reply via email to