You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2010/03/05 15:43:41 UTC

DO NOT REPLY [Bug 48866] New: Clarification regarding CVE-2009-3555

https://issues.apache.org/bugzilla/show_bug.cgi?id=48866

           Summary: Clarification regarding CVE-2009-3555
           Product: Apache httpd-2
           Version: 2.2.14
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: sailesh_kyanam@fanniemae.com


Per CVE-2009-3555
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555), mod_ssl (among
many products that use SSL/TLS) is vulnerable to a MITM attack during SSL/TLS
renegotiation. The CVE and various advisories posted online are not very clear
on the scope of this vulnerability. The CVE seems to suggest that the
vulnerability manifests itself only when client cert authentication is used.
However, other advisories suggest that this could happen even when client cert
authentication is not involved, if the client or server requests a
re-negotiate.

My first question is: Are Apache web servers 2.2.x with mod_ssl vulnerable to
this issue if client certificate authetication is not used.

My second question is: 2.2 documentation refers to a new mod_ssl directive
called SSLInsecureRenegotiation:
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation. The
document mentions that this is only supported in 2.2.15 but I have not seen
2.2.15 being released. When would it be released?


Thanks

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 48866] Clarification regarding CVE-2009-3555

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=48866

Eric Covener <co...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID

--- Comment #1 from Eric Covener <co...@gmail.com> 2010-03-05 15:08:09 UTC ---
Bugzilla is not a support forum, this research discussion should be taken to
the users mailing list.  Actually using client certs is in no way necessary for
CVE-2009-0355 to be an issue.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org