[Mod_nss-list] TLS MITM issues CVE-2009-3555 vs. mod_nss
Rob Crittenden
rcritten at redhat.com
Tue Nov 10 19:07:06 UTC 2009
Tomas Hoger wrote:
> Hi!
>
> I guess you've already heard of the TLS MITM issue that got reported
> last week. If not, this bug should have some quick links:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=533125
>
> So far, attacks using this flaw were only described for HTTPS. I was
> wondering what are for fixing / mitigating this in mod_nss.
>
> Current effort on NSS field is to provide a mechanism to disable all
> renegotiation (no renegotiation is the default) before proposed TLS
> extension is implemented. This will impact mod_nss however, as it
> needs to do renegotiation in some cases (typically, when client
> certificate is not needed by default, but is needed for some portions
> of the site). NSS is going to offer an environment variable to toggle
> the setting, but renegotiation enabled will also allow client-requested
> renegotiation, which shouldn't be needed.
>
> mod_ssl upstream created an intermediate mitigation patch for the
> problem that disables client-requested renegotiation:
>
> http://marc.info/?l=apache-httpd-announce&m=125755783724966&w=2
>
> It can be used instead of the updated OpenSSL, but will likely be
> further modified depending on what will be the behavior / default in
> future OpenSSL versions. It does not fix / mitigate the problem in
> setups where server-requested renegotiation is needed.
>
> Are there any plans for mod_nss modifications to address / mitigate
> this issue?
Yes, I'm looking into this. I'm not sure I can take the same approach as
mod_ssl since I have much less visibility into the SSL handshake with
NSS than with OpenSSL.
>
> Btw, can anyone update wiki:
>
> http://directory.fedoraproject.org/wiki/Mod_nss#Mailing_List
>
> to list correct mailing list archives / info page:
>
> https://www.redhat.com/mailman/listinfo/mod_nss-list
Fixed, thanks.
>
> "Request an account or log in" link only gives me a login page with no
> create account link.
The wiki has had ongoing spam issues so the frequently lock/unlock new
account creation. I guess it is currently locked down.
regards
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/mod_nss-list/attachments/20091110/4423c4ab/attachment.bin>
More information about the Mod_nss-list
mailing list