On Friday 12 February 2010 07:10:18 pm Maxim Dounin wrote:

> Test is simple: run
>
> openssl s_client -connect <host>:443
>
> and once connection is established press 'R' and hit enter to
> trigger renegotiation.
>
> Without the patch renegotiation will happend and connection will
> stay alive. And you will be able to issue normal http request after
> (something like "GET / HTTP/1.0"). With patch connection will be
> dropped.

This is what I get:

---
R
RENEGOTIATING
21395:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:530:

So does that mean that actually the server is not vulnerable?


> Note well:
>
> 1. You need openssl <= 0.9.8k (unpatched one, not 'l'!) on
> client to test it, as in 0.9.8l renegotiation is completely broken
> by default and connection will just hang.

Got it on client.

> 2. With openssl 0.9.8l on server connection will hang, too. This
> means that you aren't vulnerable, but it's not easy to distinguish
> this case from the case with 0.9.8l on client (which just doesn't
> allow you to test).

Server has an older version

> 3. First of all you should patch openssl, not nginx. Once you'll
> patch openssl on your system all programs which use it will be
> safe, not just nginx.

Unfortunately our OS vendor has not yet released a patch for openssl.

JW

--

----------------------
System Administrator - Cedar Creek Software
http://www.cedarcreeksoftware.com

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx