You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2010/03/05 15:43:41 UTC
DO NOT REPLY [Bug 48866] New: Clarification regarding CVE-2009-3555
https://issues.apache.org/bugzilla/show_bug.cgi?id=48866
Summary: Clarification regarding CVE-2009-3555
Product: Apache httpd-2
Version: 2.2.14
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
AssignedTo: bugs@httpd.apache.org
ReportedBy: sailesh_kyanam@fanniemae.com
Per CVE-2009-3555
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555), mod_ssl (among
many products that use SSL/TLS) is vulnerable to a MITM attack during SSL/TLS
renegotiation. The CVE and various advisories posted online are not very clear
on the scope of this vulnerability. The CVE seems to suggest that the
vulnerability manifests itself only when client cert authentication is used.
However, other advisories suggest that this could happen even when client cert
authentication is not involved, if the client or server requests a
re-negotiate.
My first question is: Are Apache web servers 2.2.x with mod_ssl vulnerable to
this issue if client certificate authetication is not used.
My second question is: 2.2 documentation refers to a new mod_ssl directive
called SSLInsecureRenegotiation:
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation. The
document mentions that this is only supported in 2.2.15 but I have not seen
2.2.15 being released. When would it be released?
Thanks
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 48866] Clarification regarding CVE-2009-3555
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48866
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #1 from Eric Covener <co...@gmail.com> 2010-03-05 15:08:09 UTC ---
Bugzilla is not a support forum, this research discussion should be taken to
the users mailing list. Actually using client certs is in no way necessary for
CVE-2009-0355 to be an issue.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org