On Thu, Nov 05, 2009 at 11:00:42AM -0800, Kyle Hamilton wrote:
> (replying to a message on dev-security at mozilla, but since this
> affects OpenSSL more than Mozilla, I'm sending this one directly to
> openssl-users and bcc:ing dev-security. I hope the spam filter lets
> it through.)
>
> When handled properly (i.e., you don't rely on anything before the
> renegotiation, except the single boolean fact that a renegotiation
> must occur), there's no problem. This is a problem with the
> HTTP/HTTPS protocol and mod_ssl/IIS, not TLS.
>
> The fix is obvious: once the renegotiation is finalized, drop all
> prior data and send the request again.
This is not a general fix. One can't always "drop all data". If
renegotiation is allowed in the middle of data transfer, one cannot drop
all accumulated data. One may want to not apply any client credentials
gathered post renegotiation to data obtained before, but that does not
address all pertinent attacks.
> That's the essence of this attack, and the fact that Ben Laurie seems
> to think that it's perfectly acceptable to disable all renegotiation
> in OpenSSL 0.9.8l (ell) (including 'anonymous negotiation followed by
> renegotiation to protect the X.509 certificates from passive
> eavesdroppers') suggests that he's more short-sighted than the
> protocol developers he's trying to cover up for.
>
> Thanks for destroying my non-HTTP app, Ben.
Are you sure your app is immune?
Can you describe your application protocol (once SSL is established what
is the client<->server message flow)?
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
