Re: Nod to 2.0, one more time?
Rainer Jung wrote: On 22.03.2010 14:52, William A. Rowe Jr. wrote: Wondering if we are comfortable tagging and releasing 2.0.64 in the I agree there should be a release fixing (at least) CVE-2009-3555 (ssl reneg). My tests were positive, but more eyes are very welcome. Rainer, XP SP2 VC6 SDK 2003 R2 Apache/2.0.64-dev (Win32) mod_ssl/2.0.64-dev OpenSSL/0.9.8m In reference to the CVE-2009-3555 patches and the SSLInsecureRenegotiation patch Following your instructions; * Patch applies also on top of the two above partial fixes for CVE-2009-3555 with some offset and fuzz. cve-2009-3555_httpd_2_0_x-v2.patch + cve-2009-3555_httpd_2_0_x-backport-r891282.patch + SSLInsecureRenegotiation_httpd_2_0_x-backport-r917044.patch = Failure SSLInsecureRenegotiation On = R RENEGOTIATING 3664:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:.\ssl\s3_pkt.c:530: I had accidentally left out the first patch when I was building and it worked fine. Realizing I had left one out and not sure which, I did it again with the three patches and it failed. I then tried the combinations 1 3, failure, 2 3 success. So; cve-2009-3555_httpd_2_0_x-backport-r891282.patch + SSLInsecureRenegotiation_httpd_2_0_x-backport-r917044.patch = Success as advertised SSLInsecureRenegotiation Off = Renegotiation failed SSLInsecureRenegotiation On = Renegotiation succeeded SSLInsecureRenegotiation Off = E:\AOSSL098kopenssl OpenSSL version OpenSSL 0.9.8k 25 Mar 2009 OpenSSL s_client -connect localhost:443 --- R RENEGOTIATING 3696:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:.\ssl\s3_pkt.c:530: OpenSSL exit = SSLInsecureRenegotiation On = --- R RENEGOTIATING depth=0 /C=US/ST=IOWA/L=DESMOINES/O=Snake Oil Ltd/OU=Snake Oil Ltd verify error:num=18:self signed certificate verify return:1 depth=0 /C=US/ST=IOWA/L=DESMOINES/O=Snake Oil Ltd/OU=Snake Oil Ltd verify return:1 GET / htmlbodyh1It works!/h1/body/html closed To make sure I had it right, I reproduced it twice again. I do not pretend to know the consequence of leaving out the first patch. This is just my accidental observation. Since I know all three of the 2.2.x patches were applied to 2.2.15 I just gave it a try against my server running 2.2.15. There is the same problem as well. SSLInsecureRenegotiation On and it still fails to renegotiate with 0.9.8k client. I missed this during my tests leading up to 2.2.15. Gregg
Re: Nod to 2.0, one more time?
Hi Gregg, thanks for testing, see comments below. On 24.03.2010 23:17, Gregg L. Smith wrote: Rainer Jung wrote: On 22.03.2010 14:52, William A. Rowe Jr. wrote: Wondering if we are comfortable tagging and releasing 2.0.64 in the I agree there should be a release fixing (at least) CVE-2009-3555 (ssl reneg). My tests were positive, but more eyes are very welcome. Rainer, XP SP2 VC6 SDK 2003 R2 Apache/2.0.64-dev (Win32) mod_ssl/2.0.64-dev OpenSSL/0.9.8m In reference to the CVE-2009-3555 patches and the SSLInsecureRenegotiation patch Following your instructions; * Patch applies also on top of the two above partial fixes for CVE-2009-3555 with some offset and fuzz. cve-2009-3555_httpd_2_0_x-v2.patch + cve-2009-3555_httpd_2_0_x-backport-r891282.patch + SSLInsecureRenegotiation_httpd_2_0_x-backport-r917044.patch = Failure You mean functional failure, not failed to apply patch? There are two ways, how an SSL renegotiation can be initiated: - the client can initiate it - the server can initiate it All your tests - using the OpenSSL R command - perform a client initiated renegotiation. The first patch disables client initiated renegotiations completely. They are not needed for making the server work and are one possible attack vector. The server only needs server initiated renegotiations. For testing those you can e.g. use some cipher X in the ssl configuration of a vhost and require another cipher Y in some Location below that vhost. If you now visit the vhost, the initial handshake should result in the cipher X. When browing to the location, a server initiated renegotiation will happen and lead to the other cipher Y. You can check that by logging the cipher in the access log. You can also log the ssl session id in the access log and verify that the ssl session does not change. For this final check to work, you will need to disable client side session handling. E.g. for Firefox you go to the URL about:config and set security.enable_tls_session_tickets to false. HTH! Regards, Rainer SSLInsecureRenegotiation On = R RENEGOTIATING 3664:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:.\ssl\s3_pkt.c:530: I had accidentally left out the first patch when I was building and it worked fine. Realizing I had left one out and not sure which, I did it again with the three patches and it failed. I then tried the combinations 1 3, failure, 2 3 success. So; cve-2009-3555_httpd_2_0_x-backport-r891282.patch + SSLInsecureRenegotiation_httpd_2_0_x-backport-r917044.patch = Success as advertised SSLInsecureRenegotiation Off = Renegotiation failed SSLInsecureRenegotiation On = Renegotiation succeeded SSLInsecureRenegotiation Off = E:\AOSSL098kopenssl OpenSSL version OpenSSL 0.9.8k 25 Mar 2009 OpenSSL s_client -connect localhost:443 --- R RENEGOTIATING 3696:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:.\ssl\s3_pkt.c:530: OpenSSL exit = SSLInsecureRenegotiation On = --- R RENEGOTIATING depth=0 /C=US/ST=IOWA/L=DESMOINES/O=Snake Oil Ltd/OU=Snake Oil Ltd verify error:num=18:self signed certificate verify return:1 depth=0 /C=US/ST=IOWA/L=DESMOINES/O=Snake Oil Ltd/OU=Snake Oil Ltd verify return:1 GET / htmlbodyh1It works!/h1/body/html closed To make sure I had it right, I reproduced it twice again. I do not pretend to know the consequence of leaving out the first patch. This is just my accidental observation. Since I know all three of the 2.2.x patches were applied to 2.2.15 I just gave it a try against my server running 2.2.15. There is the same problem as well. SSLInsecureRenegotiation On and it still fails to renegotiate with 0.9.8k client. I missed this during my tests leading up to 2.2.15. Gregg
Re: Nod to 2.0, one more time?
On 3/24/2010 5:51 PM, Rainer Jung wrote: The server only needs server initiated renegotiations. As repeated several times, there are apparently micro SSL implementations out there in the wild, e.g. cell phone browsers, who choose to renegotiate and - seeing an alert that it is not supported, hum merrily along. So the 'shut down the connection' flavor of halting server initiated renegotiation breaks such clients, while the openssl 0.9.8m graceful handling supports such renegotiation requests with a polite refusal.
Re: Nod to 2.0, one more time?
On 25.03.2010 00:20, William A. Rowe Jr. wrote: On 3/24/2010 5:51 PM, Rainer Jung wrote: The server only needs server initiated renegotiations. As repeated several times, there are apparently micro SSL implementations out there in the wild, e.g. cell phone browsers, who choose to renegotiate and - seeing an alert that it is not supported, hum merrily along. So the 'shut down the connection' flavor of halting server initiated renegotiation breaks such clients, while the openssl 0.9.8m graceful handling supports such renegotiation requests with a polite refusal. With respect to 2.0 the behaviour with the proposed patches should be identical to 2.2. Concerning those special SSL clients: I had the impression there is still not enough facts around even when following the OpenSSL discussion list. Yes, there are such clients, but we still can't be completely sure about their interoperability with 0.9.8m. Regards, Rainer
Nod to 2.0, one more time?
Wondering if we are comfortable tagging and releasing 2.0.64 in the coming days? These security issues aught to be addressed, and while we are at it, it just seems like a nice thing to do as we get closer to some 2.3 beta and further from any more improvements to 2.0. Opinions? Volunteers? If there are no objections and no volunteer, its something I'm happy to do later this week. I'll review the set of ssl patches tomorrow.
Re: Nod to 2.0, one more time?
On Mon, Mar 22, 2010 at 08:52:13AM -0500, William A. Rowe Jr. wrote: Wondering if we are comfortable tagging and releasing 2.0.64 in the coming days? These security issues aught to be addressed, and while we are at it, it just seems like a nice thing to do as we get closer to some 2.3 beta and further from any more improvements to 2.0. Totally agreed. Given the number of security related fixes in 2.2 lately, a new 2.0.x would be a very good thing. vh Mads Toftum -- http://soulfood.dk
Re: Nod to 2.0, one more time?
On Mon, Mar 22, 2010 at 9:52 AM, William A. Rowe Jr. wr...@rowe-clan.net wrote: Wondering if we are comfortable tagging and releasing 2.0.64 in the coming days? These security issues aught to be addressed, and while we are at it, it just seems like a nice thing to do as we get closer to some 2.3 beta and further from any more improvements to 2.0. Opinions? Volunteers? If there are no objections and no volunteer, its something I'm happy to do later this week. I'll review the set of ssl patches tomorrow. Does anyone feel a need to release APR and -Util first to resolve CVE-2009-2412? I don't think it is so important personally, but it is worth asking. (I could RM those two soon-ish if generally considered the Right Thing to do.)
Re: Nod to 2.0, one more time?
On Mon, Mar 22, 2010 at 10:17 AM, Jeff Trawick traw...@gmail.com wrote: On Mon, Mar 22, 2010 at 9:52 AM, William A. Rowe Jr. wr...@rowe-clan.net wrote: Wondering if we are comfortable tagging and releasing 2.0.64 in the coming days? These security issues aught to be addressed, and while we are at it, it just seems like a nice thing to do as we get closer to some 2.3 beta and further from any more improvements to 2.0. Opinions? Volunteers? If there are no objections and no volunteer, its something I'm happy to do later this week. I'll review the set of ssl patches tomorrow. Does anyone feel a need to release APR and -Util first to resolve 0.9.x, that is (context = httpd 2.0.x, which uses APR 0.9.x)
Re: Nod to 2.0, one more time?
On Mon, Mar 22, 2010 at 10:17:41AM -0400, Jeff Trawick wrote: Does anyone feel a need to release APR and -Util first to resolve CVE-2009-2412? I don't think it is so important personally, but it is worth asking. Would be nice to get both things done at once to avoid as much pressure for another 2.0.x soon. vh Mads Toftum -- http://soulfood.dk
Re: Nod to 2.0, one more time?
On 22.03.2010 14:52, William A. Rowe Jr. wrote: Wondering if we are comfortable tagging and releasing 2.0.64 in the coming days? These security issues aught to be addressed, and while we are at it, it just seems like a nice thing to do as we get closer to some 2.3 beta and further from any more improvements to 2.0. Opinions? Volunteers? If there are no objections and no volunteer, its something I'm happy to do later this week. I'll review the set of ssl patches tomorrow. I agree there should be a release fixing (at least) CVE-2009-3555 (ssl reneg). My tests were positive, but more eyes are very welcome. Unfortunately I'm mostly offline Wednesday/Thursday, so if there is a problem with those patches I might not be able to respond quickly during those days. Regards, Rainer
Re: Nod to 2.0, one more time?
On 3/22/2010 9:51 AM, Rainer Jung wrote: On 22.03.2010 14:52, William A. Rowe Jr. wrote: Wondering if we are comfortable tagging and releasing 2.0.64 in the coming days? These security issues aught to be addressed, and while we are at it, it just seems like a nice thing to do as we get closer to some 2.3 beta and further from any more improvements to 2.0. Opinions? Volunteers? If there are no objections and no volunteer, its something I'm happy to do later this week. I'll review the set of ssl patches tomorrow. I agree there should be a release fixing (at least) CVE-2009-3555 (ssl reneg). My tests were positive, but more eyes are very welcome. Unfortunately I'm mostly offline Wednesday/Thursday, so if there is a problem with those patches I might not be able to respond quickly during those days. I'm going to look at Jeff's observation about APR 0.9, and there's a good chance this could wrap around into early next week, giving us time to go ahead and TR APR 0.9 releases this week.
Re: Nod to 2.0, one more time?
On Mar 22, 2010, at 6:52 AM, William A. Rowe Jr. wrote: Wondering if we are comfortable tagging and releasing 2.0.64 in the coming days? These security issues aught to be addressed, and while we are at it, it just seems like a nice thing to do as we get closer to some 2.3 beta and further from any more improvements to 2.0. +1 Opinions? Volunteers? If there are no objections and no volunteer, its something I'm happy to do later this week. I'll review the set of ssl patches tomorrow. I don't think I'd RM but I'll endeavor to test. S. -- Sander Temme scte...@apache.org PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF