Welcome! Log In Create A New Profile

Advanced

Re: [PATCH] Disable SSL renegotiation (CVE-2009-3555).

November 06, 2009 09:02AM
On Fri, Nov 06, 2009 at 04:28:52PM +0300, Maxim Dounin wrote:

> Hello!
>
> Патч, запрещающий ssl renegotiation для старых версий openssl
> (ссылок по теме есть в самом патче если кто ещё не читал, ну и в
> гугле наливают).
>
> Я проверил это на openssl 0.9.7e (из freebsd 6.2), и текущем
> 0.9.8l (где renegotiation недоступна по умолчанию). Делает вид
> что работает.
>
> Если кто-то потестирует - будет замечательно.

Спасибо. У меня renegotiating в openssl клиенте не происходит и клиент
ничего не хочет принимать. Насколько я понимаю, это проблема клианта
openssl:

handshake:

2009/11/06 16:44:44 [debug] 69702#0: *1 http check ssl handshake
2009/11/06 16:44:44 [debug] 69702#0: *1 https ssl handshake: 0x80
2009/11/06 16:44:44 [debug] 69702#0: slab alloc: 118 slot: 4
2009/11/06 16:44:44 [debug] 69702#0: slab alloc: 2A827000
2009/11/06 16:44:44 [debug] 69702#0: slab alloc: 44 slot: 3
2009/11/06 16:44:44 [debug] 69702#0: slab alloc: 2A8260C0
2009/11/06 16:44:44 [debug] 69702#0: slab alloc: 32 slot: 2
2009/11/06 16:44:44 [debug] 69702#0: slab alloc: 2A828020
2009/11/06 16:44:44 [debug] 69702#0: *1 ssl new session: 15397595:32:118
2009/11/06 16:44:44 [debug] 69702#0: *1 SSL_do_handshake: 1
2009/11/06 16:44:44 [debug] 69702#0: *1 SSL: TLSv1, cipher: "DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1"
2009/11/06 16:44:44 [debug] 69702#0: *1 http process request line
2009/11/06 16:44:44 [debug] 69702#0: *1 SSL_read: -1
2009/11/06 16:44:44 [debug] 69702#0: *1 SSL_get_error: 2
2009/11/06 16:44:44 [debug] 69702#0: timer delta: 1
2009/11/06 16:44:44 [debug] 69702#0: posted events 00000000
2009/11/06 16:44:44 [debug] 69702#0: worker cycle
2009/11/06 16:44:44 [debug] 69702#0: kevent timer: 14999, changes: 0

renegotiating:

2009/11/06 16:44:45 [debug] 69702#0: kevent events: 1
2009/11/06 16:44:45 [debug] 69702#0: kevent: 13: ft:-1 fl:0020 ff:00000000 d:133 ud:082A84E0
2009/11/06 16:44:45 [debug] 69702#0: *1 http process request line
2009/11/06 16:44:45 [info] 69702#0: *1 ignoring unexpected SSL renegotiation while SSL handshaking, client: 127.0.0.1, server: t42
2009/11/06 16:44:45 [debug] 69702#0: *1 SSL_read: -1
2009/11/06 16:44:45 [debug] 69702#0: *1 SSL_get_error: 2
2009/11/06 16:44:45 [debug] 69702#0: timer delta: 903
2009/11/06 16:44:45 [debug] 69702#0: posted events 00000000
2009/11/06 16:44:45 [debug] 69702#0: worker cycle
2009/11/06 16:44:45 [debug] 69702#0: kevent timer: 14096, changes: 0


--
Игорь Сысоев
http://sysoev.ru
Subject Author Posted

[PATCH] Disable SSL renegotiation (CVE-2009-3555).

Maxim Dounin November 06, 2009 08:38AM

Re: [PATCH] Disable SSL renegotiation (CVE-2009-3555).

Igor Sysoev November 06, 2009 09:02AM

Re: [PATCH] Disable SSL renegotiation (CVE-2009-3555).

Maxim Dounin November 06, 2009 09:50AM

Re: [PATCH] Disable SSL renegotiation (CVE-2009-3555).

Igor Sysoev November 06, 2009 12:06PM

Re: [PATCH] Disable SSL renegotiation (CVE-2009-3555).

Maxim Dounin November 06, 2009 03:48PM

Re: [PATCH] Disable SSL renegotiation (CVE-2009-3555).

Maxim Dounin November 07, 2009 10:04AM

Re: [PATCH] Disable SSL renegotiation (CVE-2009-3555).

Maxim Dounin November 08, 2009 08:48PM

Re: [PATCH] Disable SSL renegotiation (CVE-2009-3555).

Igor Sysoev November 09, 2009 03:12AM

Re: [PATCH] Disable SSL renegotiation (CVE-2009-3555).

Maxim Dounin November 09, 2009 05:16AM

Re: [PATCH] Disable SSL renegotiation (CVE-2009-3555).

Igor Sysoev November 09, 2009 05:36AM

Re: [PATCH] Disable SSL renegotiation (CVE-2009-3555).

Maxim Dounin November 09, 2009 06:18AM

Re: [PATCH] Disable SSL renegotiation (CVE-2009-3555).

Igor Sysoev November 09, 2009 06:56AM

Re: [PATCH] Disable SSL renegotiation (CVE-2009-3555).

Maxim Dounin November 09, 2009 07:26AM

Re: [PATCH] Disable SSL renegotiation (CVE-2009-3555).

Maxim Dounin November 09, 2009 02:14PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 288
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready