You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2010/03/03 19:41:27 UTC

DO NOT REPLY [Bug 48850] New: clarification on OpenSSL 0.9.8l - Renegotiating vulnerability

https://issues.apache.org/bugzilla/show_bug.cgi?id=48850

           Summary: clarification on OpenSSL 0.9.8l - Renegotiating
                    vulnerability
           Product: Apache httpd-2
           Version: 2.2.14
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Build
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: rajat.ray@gmail.com


Hi,

Wanted a clarification on OpenSSL 0.9.8l ( CVE-2009-3555 - TLS / SSLv3
Renegotiating vulnerability)  .  When I execute the following


 ./openssl s_client -connect  www.testapp.com:8090

--- [snipped... openssl output]

HEAD / HTTP/1.0
R
RENEGOTIATING
<Enter>

The below output is shown


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"7777-1266209541000"
Last-Modified: Mon, 15 Feb 2010 04:52:21 GMT
Content-Type: text/html
Content-Length: 7777
Date: Wed, 03 Mar 2010 17:44:54 GMT
Connection: close

What I want to know is if this should output the header details or should that
be suppressed also. As per a lot of forums  I should get this error
“28874:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:530:” 

OR

The connection blocks and timeouts after a while
Could someone please clarify.

Thanks
Rajat

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 48850] clarification on OpenSSL 0.9.8l - Renegotiating vulnerability

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=48850

Will Rowe <wr...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID

--- Comment #1 from Will Rowe <wr...@apache.org> 2010-03-03 19:38:08 UTC ---
Apache-Coyote/1.1 is not the httpd webserver, it is the Tomcat webserver
internal connector.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 48850] clarification on OpenSSL 0.9.8l - Renegotiating vulnerability

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=48850

--- Comment #2 from Ruediger Pluem <rp...@apache.org> 2010-03-04 18:05:29 UTC ---
*** Bug 48859 has been marked as a duplicate of this bug. ***

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org