I'm surprised not to see it mentioned here yet, but Firefox nightlies implement the new TLS spec to prevent the renegotiation flaw. The fixes in NSS can also be used to build your own patched version of moz_nss for apache.
Huge thanks to Nelson Bolyard for implementing the spec in NSS and Kai Engert for the client (Firefox) integration piece. To solve the problem for real in the long run both servers and clients need to be patched, and patched clients and servers must not talk to unpatched servers and clients. In the short run that's unrealistic so the Firefox settings are currently extremely permissive, but paranoid users who only need to talk to a couple of servers that they know are patched could make it strict if they like. Test server at https://ssltls.de Firefox nightlies have been patched since Feb 8 or 9 https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-trunk/ Kai's write-up on the various client options https://wiki.mozilla.org/Security:Renegotiation Official RFC (released Friday) http://tools.ietf.org/html/rfc5746 Currently the only change in Firefox behavior is that it will not RE-negotiate with an unpatched server--but it will complete an initial handshake so it's still vulnerable to the flaw. This will break client-auth in most cases so there's a global pref that allows unsafe renegotiation, and another pref so you could whitelist a server or two you need to do client-auth with. Firefox will also spit out messages to the error console for each unpatched server it encounters. Another pref will show "broken-ssl" indicators for such servers and yet another will refuse connections to unpatched servers if you really want to get hardcore (and not use SSL at all for a while). These are _test_ builds and don't necessarily reflect how we'll ship a future Firefox update. For updates on the stable branches we'll probably have to allow unsafe renegotiation for a while, it's not a good strategy to ship a security updates and force people to choose between security and connecting with their bank/gov't/work. Or we might have to do some UI work so affected users can tweak this without having to wade into about:config. Although currently not an option, one approach might be to downgrade EV sites to normal SSL if they aren't patched and at least put pressure on the sites that think they have something to protect. Later this year we can start showing broken SSL indicators for unpatched servers, when at least some servers are patched. -Dan Veditz _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
