[Mod_nss-list] TLS MITM issues CVE-2009-3555 vs. mod_nss
Rob Crittenden
rcritten at redhat.com
Fri Nov 20 14:42:23 UTC 2009
Tomas Hoger wrote:
> Hi Rob!
>
> On Tue, 10 Nov 2009 14:07:06 -0500 Rob Crittenden <rcritten at redhat.com>
> wrote:
>
>>> Are there any plans for mod_nss modifications to address / mitigate
>>> this issue?
>> Yes, I'm looking into this. I'm not sure I can take the same approach
>> as mod_ssl since I have much less visibility into the SSL handshake
>> with NSS than with OpenSSL.
>
> So do you think SSL_HandshakeCallback-registered callbacks should be
> insufficient? I do see HandshakeDone callback is already used during
> the server-initiated rehandshake to track its progress. It is then
> unregistered when rehandshake is done.
>
> What about registering another function instead of the NULL callback?
> The function that will trigger connection abort when called. Can that
> be a way or is unlikely to work and is not work more effort?
>
> Thank you!
Very clever idea!
I think this can be extended a bit too. We really should set the
handshake callback to something that returns SECFailure in all cases
except where we do a server-initiated renegotiation. So once the initial
handshake is completed we shouldn't allow any further handshaking
(unless initiated using existing mechanism). I need to check with the
NSS guys on a few things but this seems like a very simple way of fixing it.
thanks
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/mod_nss-list/attachments/20091120/bd6d5276/attachment.bin>
More information about the Mod_nss-list
mailing list