[145033] in cryptography@c2.net mail archive
SSL: Another Protocol Bites The Dust
daemon@ATHENA.MIT.EDU (R.A. Hettinga)
Fri Nov 6 10:51:31 2009
From: "R.A. Hettinga" <rah@shipwright.com>
To: Gold Silver Crypto <gold-silver-crypto@rayservers.com>,
cypherpunks@al-qaeda.net,
Cryptography <cryptography@metzdowd.com>
Date: Thu, 5 Nov 2009 11:59:18 -0400
<http://www.links.org/?p=3D780>
Links
Ben Laurie blathering
Another Protocol Bites The Dust
For the last 6 weeks or so, a bunch of us have been working on a =20
really serious issue in SSL. In short, a man-in-the-middle can use SSL =20=
renegotiation to inject an arbitrary prefix into any SSL session, =20
undetected by either end.
To make matters even worse, through a piece of (in retrospect) =20
incredibly bad design, HTTP servers will, under some circumstances, =20
replay that arbitrary prefix in a new authentication context. For =20
example, this is what happens if you configure Apache to require =20
client certificates for one directory but not another. Once it emerges =20=
that your request is for a protected directory, a renegotiation will =20
occur to obtain the appropriate client certificate, and then the =20
original request (i.e. the stuff from the bad guy) gets replayed as if =20=
it had been authenticated by the client certificate.
But it hasn=92t.
Not that the picture is all rosy even when client certificates are not =20=
involved. Consider the attacker sending an HTTP request of his =20
choosing, ending with the unterminated line =93X-Swallow-This: =93. That =
=20
header will then swallow the real request sent by the real user, and =20
will cause any headers from the real user (including, say, =20
authentication cookies) to be appended to the evil request.
It=92s obviously going to take a little while for the world to patch =20
this =96 and since the news is spreading like wildfire I=92ve put up a =20=
patch to OpenSSL that bans all renegotiation. I=92m sure an official =20
release will follow very shortly.
Note that the patch is against the head of the OpenSSL 0.9.8 =20
development tree (that is, it is against 0.9.8l-dev). You may have to =20=
do a little work to patch against other versions. And if you intend to =20=
deploy this patch permanently, please change at least the textual =20
version of the version number, which you can find in crypto/=20
opensslv.h. Also note that if you need renegotiation for your site to =20=
work, I have no solution for you, other than you redesign your site. =20
Sorry.
Share This
This entry was posted on Thursday, November 5th, 2009 at 8:03 and is =20
filed under Crypto, Open Source, Security. You can follow any =20
responses to this entry through the RSS 2.0 feed. You can leave a =20
response, or trackback from your own site.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
