Welcome! Log In Create A New Profile

Re: nginx 0.7.64 and CVE-2009-3555 TLS / SSL renegotiation

Forum List Message List New Topic Print View

Maxim Dounin

February 14, 2010 06:42AM

Hello!

On Sat, Feb 13, 2010 at 11:45:15PM -0600, JW wrote:

> On Friday 12 February 2010 07:10:18 pm Maxim Dounin wrote:
>
> > Test is simple: run
> >
> > openssl s_client -connect <host>:443
> >
> > and once connection is established press 'R' and hit enter to
> > trigger renegotiation.
> >
> > Without the patch renegotiation will happend and connection will
> > stay alive. And you will be able to issue normal http request after
> > (something like "GET / HTTP/1.0"). With patch connection will be
> > dropped.
>
> This is what I get:
>
> ---
> R
> RENEGOTIATING
> 21395:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
> failure:s3_pkt.c:530:
>
> So does that mean that actually the server is not vulnerable?

Yes. This means that you have patched nginx running, and it closes
connection once it detects renegotiation attempt. You aren't
vulnerable.

Maxim Dounin

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
nginx 0.7.64 and CVE-2009-3555 TLS / SSL renegotiation	JW	February 12, 2010 06:32PM
Re: nginx 0.7.64 and CVE-2009-3555 TLS / SSL renegotiation	Maxim Dounin	February 12, 2010 08:14PM
Re: nginx 0.7.64 and CVE-2009-3555 TLS / SSL renegotiation	JW	February 14, 2010 12:48AM
Re: nginx 0.7.64 and CVE-2009-3555 TLS / SSL renegotiation	Maxim Dounin	February 14, 2010 06:42AM
Re: nginx 0.7.64 and CVE-2009-3555 TLS / SSL renegotiation	Igor Sysoev	February 13, 2010 02:08AM
Re: nginx 0.7.64 and CVE-2009-3555 TLS / SSL renegotiation	JW	February 14, 2010 12:48AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 128

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018