Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Bugs

[Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

  

 
Apache bugs RSS feed   Index | Next | Previous | View Threaded


bugzilla at apache

Nov 9, 2009, 8:00 AM

Post #1 of 5 (517 views)
Permalink
[Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055

--- Comment #41 from Mike <mike.pechkin [at] gmail> 2009-11-09 08:00:48 UTC ---
Joe, does config from first comment is vulnerabile to CVE-2009-3555?
Any comments?

p.s. Just started reading related links.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd


bugzilla at apache

Nov 9, 2009, 8:28 AM

Post #2 of 5 (490 views)
Permalink
[Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions [In reply to]
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055

--- Comment #42 from Ruediger Pluem <rpluem [at] apache> 2009-11-09 09:28:23 CET ---
(In reply to comment #41)
> Joe, does config from first comment is vulnerabile to CVE-2009-3555?

Yes it is. Even with the patch applied. You can only "fix" it with openssl
0.9.8l, but as soon as you use 0.9.8l this config will stop working at all.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd


bugzilla at apache

Nov 9, 2009, 8:56 AM

Post #3 of 5 (492 views)
Permalink
[Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions [In reply to]
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055

--- Comment #43 from Mike <mike.pechkin [at] gmail> 2009-11-09 08:56:47 UTC ---
Ruediger,

1. does the config still vulnerable if user redirects to
"/mihailp1/www-secure/s" only after double authentication by soft
(password-pin)?
2. why *this* config vulnerable if i disable renegotiation initiated by client?

Thank you.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd


bugzilla at apache

Nov 9, 2009, 11:45 AM

Post #4 of 5 (489 views)
Permalink
[Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions [In reply to]
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055

--- Comment #44 from Ruediger Pluem <rpluem [at] apache> 2009-11-09 12:45:37 CET ---
(In reply to comment #43)
> Ruediger,
>
> 1. does the config still vulnerable if user redirects to
> "/mihailp1/www-secure/s" only after double authentication by soft
> (password-pin)?

Yes.

> 2. why *this* config vulnerable if i disable renegotiation initiated by client?

Server triggered renegotiations have the same problems as client triggered
renegotiations. The only difference is that the MIM needs to know a request a
URL from the server that triggers server triggered renegotiation in contrast to
the client driven renegotiation where the client can decide this at will.
The only way to make your configuration safe is to move

SSLVerifyDepth 3
SSLVerifyClient require
SSLOptions +OptRenegotiate

on the virtual host level and thus protect the whole virtual host.

For more details see:

http://extendedsubset.com/Renegotiating_TLS.pdf
http://extendedsubset.com/Renegotiating_TLS_pd.pdf

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd


bugzilla at apache

Nov 9, 2009, 12:16 PM

Post #5 of 5 (491 views)
Permalink
[Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions [In reply to]
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055

--- Comment #45 from Mike <mike.pechkin [at] gmail> 2009-11-09 12:16:31 UTC ---
Ruediger, thank you for reply.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd

Apache bugs RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.