bugzilla at apache
Nov 17, 2009, 2:25 AM
Post #1 of 1
(442 views)
Permalink
|
|
[Bug 48210] New: TLS / SSL Man-In-The-Middle Renegotiation Vulnerability
|
|
https://issues.apache.org/bugzilla/show_bug.cgi?id=48210
Summary: TLS / SSL Man-In-The-Middle Renegotiation
Vulnerability
Product: Apache httpd-2
Version: 2.2.14
Platform: All
OS/Version: All
Status: NEW
Severity: blocker
Priority: P2
Component: mod_ssl
AssignedTo: bugs [at] httpd
ReportedBy: alcol [at] hotmail
TLS / SSL Man-In-The-Middle Renegotiation Vulnerability
TLS and its predecessor, SSL, are cryptographic protocols that provide security
for communications over IP data networks such as the Internet. An industry-wide
vulnerability exists in the TLS protocol that could impact many products that
uses any version of TLS and SSL. The vulnerability exists in how the protocol
handles session renegotiation and exposes users to a potential
man-in-the-middle attack.
TLS 1.0 (and higher) and SSL 3.0 (and higher), does not properly associate
renegotiation handshakes with an existing connection, which allows
man-in-the-middle attackers to insert data into HTTPS sessions, and possibly
other types of sessions protected by TLS or SSL, by sending an unauthenticated
request that is processed retroactively by a server in a post-renegotiation
context, related to a "plaintext injection" attack, aka the "Project Mogul"
issue.
Affected Version and Products include, the TLS protocol 1.0, and the SSL
protocol 3.0 and possibly earlier, as used in Microsoft Internet Information
Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier,
OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security
Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd
|
