[Mod_nss-list] TLS MITM issues CVE-2009-3555 vs. mod_nss
Tomas Hoger
thoger at redhat.com
Tue Nov 10 17:21:39 UTC 2009
Hi!
I guess you've already heard of the TLS MITM issue that got reported
last week. If not, this bug should have some quick links:
https://bugzilla.redhat.com/show_bug.cgi?id=533125
So far, attacks using this flaw were only described for HTTPS. I was
wondering what are for fixing / mitigating this in mod_nss.
Current effort on NSS field is to provide a mechanism to disable all
renegotiation (no renegotiation is the default) before proposed TLS
extension is implemented. This will impact mod_nss however, as it
needs to do renegotiation in some cases (typically, when client
certificate is not needed by default, but is needed for some portions
of the site). NSS is going to offer an environment variable to toggle
the setting, but renegotiation enabled will also allow client-requested
renegotiation, which shouldn't be needed.
mod_ssl upstream created an intermediate mitigation patch for the
problem that disables client-requested renegotiation:
http://marc.info/?l=apache-httpd-announce&m=125755783724966&w=2
It can be used instead of the updated OpenSSL, but will likely be
further modified depending on what will be the behavior / default in
future OpenSSL versions. It does not fix / mitigate the problem in
setups where server-requested renegotiation is needed.
Are there any plans for mod_nss modifications to address / mitigate
this issue?
Btw, can anyone update wiki:
http://directory.fedoraproject.org/wiki/Mod_nss#Mailing_List
to list correct mailing list archives / info page:
https://www.redhat.com/mailman/listinfo/mod_nss-list
"Request an account or log in" link only gives me a login page with no
create account link.
Thank you!
th.
More information about the Mod_nss-list
mailing list