Lexa Software: Nginx-ru@sysoev.ru archive

		Apache-Talk @lexa.ru
		Inet-Admins @info.east.ru
		Filmscanners @halftone.co.uk
		Security-alerts @yandex-team.ru
		nginx-ru @sysoev.ru

СТАТЬИ

ПЕРСОНАЛЬНОЕ

ПРОГРАММЫ

ПИШИТЕ
ПИСЬМА

АРХИВ :: nginx-ru

Nginx-ru mailing list archive (nginx-ru@sysoev.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Disable SSL renegotiation (CVE-2009-3555).

To: nginx-ru@xxxxxxxxx
Subject: Re: [PATCH] Disable SSL renegotiation (CVE-2009-3555).
From: Igor Sysoev <is@xxxxxxxxxxxxx>
Date: Fri, 6 Nov 2009 16:49:18 +0300
In-reply-to: <20091106132851.GV1144@xxxxxxxxxx>
References: <20091106132851.GV1144@xxxxxxxxxx>

On Fri, Nov 06, 2009 at 04:28:52PM +0300, Maxim Dounin wrote:

> Hello!
> 
> Патч, запрещающий ssl renegotiation для старых версий openssl 
> (ссылок по теме есть в самом патче если кто ещё не читал, ну и в 
> гугле наливают).
> 
> Я проверил это на openssl 0.9.7e (из freebsd 6.2), и текущем 
> 0.9.8l (где renegotiation недоступна по умолчанию).  Делает вид 
> что работает.
> 
> Если кто-то потестирует - будет замечательно.

Спасибо. У меня renegotiating в openssl клиенте не происходит и клиент
ничего не хочет принимать. Насколько я понимаю, это проблема клианта
openssl:

handshake:

2009/11/06 16:44:44 [debug] 69702#0: *1 http check ssl handshake
2009/11/06 16:44:44 [debug] 69702#0: *1 https ssl handshake: 0x80
2009/11/06 16:44:44 [debug] 69702#0: slab alloc: 118 slot: 4
2009/11/06 16:44:44 [debug] 69702#0: slab alloc: 2A827000
2009/11/06 16:44:44 [debug] 69702#0: slab alloc: 44 slot: 3
2009/11/06 16:44:44 [debug] 69702#0: slab alloc: 2A8260C0
2009/11/06 16:44:44 [debug] 69702#0: slab alloc: 32 slot: 2
2009/11/06 16:44:44 [debug] 69702#0: slab alloc: 2A828020
2009/11/06 16:44:44 [debug] 69702#0: *1 ssl new session: 15397595:32:118
2009/11/06 16:44:44 [debug] 69702#0: *1 SSL_do_handshake: 1
2009/11/06 16:44:44 [debug] 69702#0: *1 SSL: TLSv1, cipher: "DHE-RSA-AES256-SHA 
SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1"
2009/11/06 16:44:44 [debug] 69702#0: *1 http process request line
2009/11/06 16:44:44 [debug] 69702#0: *1 SSL_read: -1
2009/11/06 16:44:44 [debug] 69702#0: *1 SSL_get_error: 2
2009/11/06 16:44:44 [debug] 69702#0: timer delta: 1
2009/11/06 16:44:44 [debug] 69702#0: posted events 00000000
2009/11/06 16:44:44 [debug] 69702#0: worker cycle
2009/11/06 16:44:44 [debug] 69702#0: kevent timer: 14999, changes: 0

renegotiating:

2009/11/06 16:44:45 [debug] 69702#0: kevent events: 1
2009/11/06 16:44:45 [debug] 69702#0: kevent: 13: ft:-1 fl:0020 ff:00000000 
d:133 ud:082A84E0
2009/11/06 16:44:45 [debug] 69702#0: *1 http process request line
2009/11/06 16:44:45 [info] 69702#0: *1 ignoring unexpected SSL renegotiation 
while SSL handshaking, client: 127.0.0.1, server: t42
2009/11/06 16:44:45 [debug] 69702#0: *1 SSL_read: -1
2009/11/06 16:44:45 [debug] 69702#0: *1 SSL_get_error: 2
2009/11/06 16:44:45 [debug] 69702#0: timer delta: 903
2009/11/06 16:44:45 [debug] 69702#0: posted events 00000000
2009/11/06 16:44:45 [debug] 69702#0: worker cycle
2009/11/06 16:44:45 [debug] 69702#0: kevent timer: 14096, changes: 0


-- 
Игорь Сысоев
http://sysoev.ru

Follow-Ups:
- Re: [PATCH] Disable SSL renegotiation (CVE-2009-3555).
  - From: Maxim Dounin

References:
- [PATCH] Disable SSL renegotiation (CVE-2009-3555).
  - From: Maxim Dounin

Prev by Date: [PATCH] Disable SSL renegotiation (CVE-2009-3555).
Next by Date: Re: [PATCH] Disable SSL renegotiation (CVE-2009-3555).
Previous by thread: [PATCH] Disable SSL renegotiation (CVE-2009-3555).
Next by thread: Re: [PATCH] Disable SSL renegotiation (CVE-2009-3555).
Index(es):
- Date
- Thread