Mailing List Archive: Apache: Dev

handling request splicing in case of server initiated renegotiation CVE-2009-3555

Index | Next | Previous | View Threaded

Hartmut.Keil at adnovum

Nov 16, 2009, 12:59 PM

Post #1 of 14 (1951 views)
Permalink

handling request splicing in case of server initiated renegotiation CVE-2009-3555

Hi everybody

for clarification of https://issues.apache.org/bugzilla/show_bug.cgi?id=48204
a more detailed explanation of the described attack scenario is given here.

With the patch CVE-2009-3555-2.2.patch client initiated renegotiation has been disabled,
as a consequence of CVE-2009-3555. But a MITM attacker can also use the server initiated
renegotiation for exceting an arbitrary request with the Cookie of a victim.
(see http://extendedsubset.com/Renegotiating_TLS.pdf )

The following is the output of ssldump between a MITM attacker and the server. Remarks from my side
are starting with '###', longish message are replace by '....'.

New TCP connection #1: adnws121.zh.adnovum.ch(44889) <-> adnpool01.zh.adnovum.ch(44300)
1 1 0.4423 (0.4423) C>S SSLv2 compatible client hello
Version 3.1
cipher suites
....
1 2 0.4447 (0.0024) S>C Handshake
ServerHello
Version 3.1
....
1 3 0.4448 (0.0000) S>C Handshake
Certificate
1 4 0.4448 (0.0000) S>C Handshake
ServerHelloDone
1 5 0.4546 (0.0098) C>S Handshake
ClientKeyExchange
1 6 0.4595 (0.0049) C>S ChangeCipherSpec
1 7 0.5504 (0.0908) C>S Handshake
Finished
1 8 0.5513 (0.0009) S>C ChangeCipherSpec
1 9 0.5513 (0.0000) S>C Handshake
Finished

### up to here the MITM has established a normale handshake with the server

1 10 0.5521 (0.0008) C>S application_data
---------------------------------------------------------------
GET /cert/hacked.html HTTP/1.1
Host: adnpool01.zh.adnovum.ch

GET /cert/injected.html HTTP/1.1
Host: adnpool01.zh.adnovum.ch
X-Ignore: ---------------------------------------------------------------

### the MITM is sending two request in one chunk application_data: First a complete
request, that is causes the server to initiate a renegotiation. And second request, that
is incomplete, since the last header 'X-Ignore:' is not terminated by CRLF.
At this point the server has consumend and decrypted both requests, because the request line
will be readed with buffer size of 2*8190 (the default of the configuration paramter LimitRequestLine)

rv = ap_rgetline(&(r->the_request), (apr_size_t)(r->server->limit_req_line + 2),
&len, r, 0, bb);

And in ssl_io_input_getline(..) all decrypted data will be written to a buffer:

static apr_status_t ssl_io_input_getline(bio_filter_in_ctx_t *inctx,
char *buf,
apr_size_t *len)
{
....
....
if (pos) {
char *value;
int length;
apr_size_t bytes = pos - buf;

bytes += 1;
value = buf + bytes;
length = *len - bytes;

char_buffer_write(&inctx->cbuf, value, length);

*len = bytes;
}

return APR_SUCCESS;
}

And any subsequent call of ssl_io_input_read(..) will first consume the data in the buffer!!!!!

1 11 0.5584 (0.0062) S>C Handshake
HelloRequest

### the server is initiating a renegation, due to 'SSLVerifyClient require' configuration
for the location /cert/*
From now on the MITM is just downstreaming the decrypted data to the victim. And upstreaming
the encrypted data to the server, until he observes the change_cipher_spec messages.

1 12 0.6504 (0.0919) C>S Handshake
ClientHello
Version 3.1
cipher suites
....
1 13 0.6530 (0.0025) S>C Handshake
ServerHello
Version 3.1
....
1 14 0.6530 (0.0000) S>C Handshake
Certificate
1 15 0.6530 (0.0000) S>C Handshake
CertificateRequest
....
ServerHelloDone
1 16 4.5204 (3.8674) C>S Handshake
Certificate
1 17 4.5204 (0.0000) C>S Handshake
ClientKeyExchange
1 18 4.5204 (0.0000) C>S Handshake
CertificateVerify
....
1 19 4.5204 (0.0000) C>S ChangeCipherSpec
1 20 4.5204 (0.0000) C>S Handshake
Finished
1 21 4.5589 (0.0384) S>C ChangeCipherSpec
1 22 4.5589 (0.0000) S>C Handshake
Finished
1 23 4.5619 (0.0030) S>C application_data
---------------------------------------------------------------
HTTP/1.1 200 OK
Date: Mon, 16 Nov 2009 19:53:25 GMT
Server: Apache
...

---------------------------------------------------------------
1 24 4.5619 (0.0000) S>C application_data
---------------------------------------------------------------
....
---------------------------------------------------------------
1 25 4.6604 (0.0984) C>S application_data
---------------------------------------------------------------
GET /cert/index.html HTTP/1.1
Cookie: JSESSIONID=bhe8r67be3wy943hf73
....

### After recieving the request of the victim the server can complete the incomplete second request of MITM.
The server is reading the following request header:

GET /cert/injected.html HTTP/1.1
X-Ignore: GET /cert/index.html HTTP/1.1
Cookie: JSESSIONID=bhe8r67be3wy943hf73
....

I.e. the second request of the attacker will be executed with the
Cookie of the victim, and so the attacker is puting its payload into
the second request.

---------------------------------------------------------------
1 26 4.6666 (0.0062) S>C application_data
---------------------------------------------------------------
HTTP/1.1 200 OK
Date: Mon, 16 Nov 2009 19:53:29 GMT
Server: Apache
....

---------------------------------------------------------------
1 27 4.6666 (0.0000) S>C application_data
---------------------------------------------------------------
....
---------------------------------------------------------------
1 28 9.6708 (5.0042) S>C Alert
level warning
value close_notify
1 9.6713 (0.0004) S>C TCP FIN

With the change described in https://issues.apache.org/bugzilla/show_bug.cgi?id=48204
the buffer used in ssl_io_input_read(..) will be reset, and so the second request of
the MITM will be dropped.
The first request will be executed, but since there is no Cookie from the victim is the
less dangerous one.

There are no side effects for two reasons:
o any upload body is buffered in ssl_hook_Access(..)
before the server is initiating a renegotiation
o normal clients are following the 'request/response' pattern
of HTTP. They do not send a second request without awaiting the
response of the first one. They use several connections.

Regards

Hartmut Keil

--
AdNovum Informatik AG
Hartmut Keil, Senior Software Engineer
Dipl. Physiker

Roentgenstrasse 22, CH-8005 Zurich
mailto:hartmut.keil [at] adnovum
phone: +41 44 272 6111, fax: +41 44 272 6312
http://www.adnovum.ch

AdNovum Locations: Bern, Budapest, San Mateo, Zurich (HQ)

jorton at redhat

Nov 16, 2009, 2:19 PM

Post #2 of 14 (1904 views)
Permalink

Re: handling request splicing in case of server initiated renegotiation CVE-2009-3555 [In reply to]

On Mon, Nov 16, 2009 at 09:59:12PM +0100, Hartmut Keil wrote:
> With the change described in https://issues.apache.org/bugzilla/show_bug.cgi?id=48204
> the buffer used in ssl_io_input_read(..) will be reset, and so the second request of
> the MITM will be dropped.
> The first request will be executed, but since there is no Cookie from the victim is the
> less dangerous one.

Thanks for posting. So you are proposing that mod_ssl discards any
decoded app-data message (i.e. HTTP traffic) *subsequent* to the data
making up the request which triggered the renegotiation, but before the
renegotiation occurs.

This change would prevent a variant of the renegotiation prefix attack
against a site which uses both client cert auth in a per-dir/location
context, *and* HTTP-level authentication. It makes no difference to a
vulnerable site relying only on client cert auth in per-dir/loc context;
this would still be vulnerable.

This would break HTTP pipelining over SSL (for affected configurations),
and it might not fail gracefully - the server would appear to simply
never receive the pipelined requests. I'm relucant to do that.

A similar solution which detected pending buffered bytes after
completing the handshake (SSL_pending(ssl) does this), and giving a hard
failure (TLS level or HTTP level) might be better, but I haven't thought
that through in detail.

Regards, Joe

Hartmut.Keil at adnovum

Nov 17, 2009, 2:42 AM

Post #3 of 14 (1894 views)
Permalink

Re: handling request splicing in case of server initiated renegotiation CVE-2009-3555 [In reply to]

Hi Joe

Joe Orton wrote:
> On Mon, Nov 16, 2009 at 09:59:12PM +0100, Hartmut Keil wrote:
>> With the change described in https://issues.apache.org/bugzilla/show_bug.cgi?id=48204
>> the buffer used in ssl_io_input_read(..) will be reset, and so the second request of
>> the MITM will be dropped.
>> The first request will be executed, but since there is no Cookie from the victim is the
>> less dangerous one.
>
> Thanks for posting. So you are proposing that mod_ssl discards any
> decoded app-data message (i.e. HTTP traffic) *subsequent* to the data
> making up the request which triggered the renegotiation, but before the
> renegotiation occurs.

Correct

>
> This change would prevent a variant of the renegotiation prefix attack
> against a site which uses both client cert auth in a per-dir/location
> context, *and* HTTP-level authentication. It makes no difference to a
> vulnerable site relying only on client cert auth in per-dir/loc context;
> this would still be vulnerable.

The same situation occurs if stronger cipher suites are configured per location,
a wide used configuration pattern:

SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

<Location / >
SSLCipherSuite HIGH:+AES:-MD5
</Location>

>
> This would break HTTP pipelining over SSL (for affected configurations),
> and it might not fail gracefully - the server would appear to simply
> never receive the pipelined requests. I'm relucant to do that.

No, the proposed change would just affect to buffering-optimization in ssl_io_input_getline(...).
Pipelining HTTP over SSL does not required, to decrypt/buffer more data then needed.

>
> A similar solution which detected pending buffered bytes after
> completing the handshake (SSL_pending(ssl) does this), and giving a hard
> failure (TLS level or HTTP level) might be better, but I haven't thought
> that through in detail.

That is no solution since the data are already consumed from SSL, there
are no pending application_data.

>
> Regards, Joe

Regards
Hartmut

--
AdNovum Informatik AG
Hartmut Keil, Senior Software Engineer
Dipl. Physiker

Roentgenstrasse 22, CH-8005 Zurich
mailto:hartmut.keil [at] adnovum
phone: +41 44 272 6111, fax: +41 44 272 6312
http://www.adnovum.ch

AdNovum Locations: Bern, Budapest, San Mateo, Zurich (HQ)

jorton at redhat

Nov 17, 2009, 5:08 AM

Post #4 of 14 (1891 views)
Permalink

Re: handling request splicing in case of server initiated renegotiation CVE-2009-3555 [In reply to]

On Tue, Nov 17, 2009 at 11:42:40AM +0100, Hartmut Keil wrote:
> Joe Orton wrote:
> > This would break HTTP pipelining over SSL (for affected configurations),
> > and it might not fail gracefully - the server would appear to simply
> > never receive the pipelined requests. I'm relucant to do that.
>
> No, the proposed change would just affect to buffering-optimization in
> ssl_io_input_getline(...). Pipelining HTTP over SSL does not required,
> to decrypt/buffer more data then needed.

I don't follow this. The second request injected by the attacker in the
example you give is a pipelined HTTP request, and your proposal is to
drop such a request exactly because it was pipelined (the client did not
stop and wait for the response before sending it). What am I missing?

Regards, Joe

Hartmut.Keil at adnovum

Nov 17, 2009, 9:12 AM

Post #5 of 14 (1882 views)
Permalink

Re: handling request splicing in case of server initiated renegotiation CVE-2009-3555 [In reply to]

Joe Orton wrote:
> On Tue, Nov 17, 2009 at 11:42:40AM +0100, Hartmut Keil wrote:
>> Joe Orton wrote:
>>> This would break HTTP pipelining over SSL (for affected configurations),
>>> and it might not fail gracefully - the server would appear to simply
>>> never receive the pipelined requests. I'm relucant to do that.
>> No, the proposed change would just affect to buffering-optimization in
>> ssl_io_input_getline(...). Pipelining HTTP over SSL does not required,
>> to decrypt/buffer more data then needed.
>
> I don't follow this. The second request injected by the attacker in the
> example you give is a pipelined HTTP request, and your proposal is to
> drop such a request exactly because it was pipelined (the client did not
> stop and wait for the response before sending it). What am I missing?
>

The client must stop and wait for the response in any case, otherwise the
response of a subsequent request will get lost, if the server is not configured
for keep-alive, or the response for the first request causes the server to close
the connection:

client is sending two requests:
GET /one HTTP/1.1
Host:....

GET /two HTTP/1.1
Host:....

server is sending the response for the first request, and is closing the connection
HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked
....

Regards
Hartmut

--
AdNovum Informatik AG
Hartmut Keil, Senior Software Engineer
Dipl. Physiker

Roentgenstrasse 22, CH-8005 Zurich
mailto:hartmut.keil [at] adnovum
phone: +41 44 272 6111, fax: +41 44 272 6312
http://www.adnovum.ch

AdNovum Locations: Bern, Budapest, San Mateo, Zurich (HQ)

jorton at redhat

Nov 19, 2009, 1:30 AM

Post #6 of 14 (1841 views)
Permalink

Re: handling request splicing in case of server initiated renegotiation CVE-2009-3555 [In reply to]

On Tue, Nov 17, 2009 at 06:12:41PM +0100, Hartmut Keil wrote:
> The client must stop and wait for the response in any case, otherwise the
> response of a subsequent request will get lost, if the server is not configured
> for keep-alive, or the response for the first request causes the server to close
> the connection:

It's not the case that clients "must stop and wait" - read RFC 2616 for
a description of HTTP pipelining.

Regards, Joe

Hartmut.Keil at adnovum

Nov 19, 2009, 7:05 AM

Post #7 of 14 (1831 views)
Permalink

Re: handling request splicing in case of server initiated renegotiation CVE-2009-3555 [In reply to]

Joe Orton wrote:
> On Tue, Nov 17, 2009 at 06:12:41PM +0100, Hartmut Keil wrote:
>> The client must stop and wait for the response in any case, otherwise the
>> response of a subsequent request will get lost, if the server is not configured
>> for keep-alive, or the response for the first request causes the server to close
>> the connection:
>
> It's not the case that clients "must stop and wait" - read RFC 2616 for
> a description of HTTP pipelining.

Your right, I missed that point.

According http://www.w3.org/Protocols/rfc2616/rfc2616-sec8.html#sec8.1.2.2

"...Clients MUST also be prepared to resend their requests if the server closes the connection before sending all
of the corresponding responses. ...."

we are allowed to close the keepalive connection, after sending the response.

With the proposed change, we prevent request splitting attacks based on the TSL renegotiation flaw. From
my point of view without drawbacks, since 'pipelining' clients must handle the closing of a connection after
a complete response in any case.

Regards
Hartmut

--- ssl_engine_io.c.patched 2009-11-16 10:57:23.416525000 +0100
+++ ssl_engine_io.c 2009-11-19 15:52:28.852264000 +0100
@@ -478,6 +478,13 @@
inctx->rc = APR_ECONNABORTED;
return -1;
}
+ /* Clear buffer with decrypted data if the server has initiated a renegotiation.*/
+ if (inctx->filter_ctx->config->reneg_state == RENEG_ALLOW) {
+ char_buffer_write(&inctx->cbuf, NULL, 0);
+ /* disable keep alive */
+ conn_rec *c = (conn_rec *)SSL_get_app_data(inctx->filter_ctx->pssl);
+ c->keepalive = AP_CONN_CLOSE;
+ }

/* XXX: flush here only required for SSLv2;
* OpenSSL calls BIO_flush() at the appropriate times for

>
> Regards, Joe
>

--
AdNovum Informatik AG
Hartmut Keil, Senior Software Engineer
Dipl. Physiker

Roentgenstrasse 22, CH-8005 Zurich
mailto:hartmut.keil [at] adnovum
phone: +41 44 272 6111, fax: +41 44 272 6312
http://www.adnovum.ch

AdNovum Locations: Bern, Budapest, San Mateo, Zurich (HQ)

jorton at redhat

Nov 19, 2009, 7:58 AM

Post #8 of 14 (1840 views)
Permalink

Re: handling request splicing in case of server initiated renegotiation CVE-2009-3555 [In reply to]

On Thu, Nov 19, 2009 at 04:05:34PM +0100, Hartmut Keil wrote:
> With the proposed change, we prevent request splitting attacks based
> on the TSL renegotiation flaw. From my point of view without
> drawbacks, since 'pipelining' clients must handle the closing of a
> connection after a complete response in any case.

Yes, I agree, this seems very sensible, I can't see any problem with
this.

I would prefer to do it in a slightly more general way as below, which
would catch the case where any other module's connection filter had
buffered the data, and adds appropriate logging.

(more general but which required half a day tracking down an obscure bug
in the BIO/filters, also fixed below...)

Testing on this version very welcome!

Index: ssl_engine_kernel.c
===================================================================
--- ssl_engine_kernel.c (revision 882089)
+++ ssl_engine_kernel.c (working copy)
@@ -87,6 +87,29 @@
return APR_SUCCESS;
}

+/* Do a non-blocking read from the connection filters to see whether
+ * there is any pending data on the connection. Return non-zero if
+ * there is, else zero. */
+static int has_pending_data(request_rec *r)
+{
+ apr_bucket_brigade *bb;
+ apr_off_t len;
+ apr_status_t rv;
+ int result;
+
+ bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
+
+ rv = ap_get_brigade(r->connection->input_filters, bb, AP_MODE_SPECULATIVE,
+ APR_NONBLOCK_READ, 1);
+ result = rv == APR_SUCCESS
+ && apr_brigade_length(bb, 1, &len) == APR_SUCCESS
+ && len > 0;
+
+ apr_brigade_destroy(bb);
+
+ return result;
+}
+
/*
* Post Read Request Handler
*/
@@ -724,6 +747,23 @@
else {
request_rec *id = r->main ? r->main : r;

+ /* Mitigation for CVE-2009-3555: At this point, before
+ * renegotiating, an (entire) request has been read from
+ * the connection. An attacker may have sent further data
+ * to "prefix" any subsequent request by the victim's
+ * client after the renegotiation; this data may already
+ * have been read and buffered. Forcing a connection
+ * closure after the first response ensures such data will
+ * be discarded. Legimately pipelined HTTP requests will
+ * be retried anyway with this approach. */
+ if (has_pending_data(r)) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "insecure SSL re-negotiation required, but "
+ "a pipelined request is present; keepalive "
+ "disabled");
+ r->connection->keepalive = AP_CONN_CLOSE;
+ }
+
/* do a full renegotiation */
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"Performing full renegotiation: "
Index: ssl_engine_io.c
===================================================================
--- ssl_engine_io.c (revision 882089)
+++ ssl_engine_io.c (working copy)
@@ -1344,9 +1344,17 @@
}
else {
/* We have no idea what you are talking about, so return an error. */
- return APR_ENOTIMPL;
+ status = APR_ENOTIMPL;
}

+ /* It is possible for mod_ssl's BIO to be used outside of the
+ * direct control of mod_ssl's input or output filter -- notably,
+ * when mod_ssl initiates a renegotiation. Switching the BIO mode
+ * back to "blocking" here ensures such operations don't fail with
+ * SSL_ERROR_WANT_READ. */
+ inctx->block = APR_BLOCK_READ;
+
+ /* Handle custom errors. */
if (status != APR_SUCCESS) {
return ssl_io_filter_error(f, bb, status);
}

jmdesp at free

Nov 19, 2009, 8:41 AM

Post #9 of 14 (1844 views)
Permalink

Re: handling request splicing in case of server initiated renegotiation CVE-2009-3555 [In reply to]

Joe Orton wrote:
> On Thu, Nov 19, 2009 at 04:05:34PM +0100, Hartmut Keil wrote:
>> > [...] From my point of view without
>> > drawbacks, since 'pipelining' clients must handle the closing of a
>> > connection after a complete response in any case.
> Yes, I agree, this seems very sensible, I can't see any problem with
> this.

It seems very sensible *if* it works in practice, it would be better to
check with clients if they actually implement this properly.

If it's so easy, I'm surprised it hasn't been done earlier, instead of
that ugly solution of queuing POST requests inside a buffer (ref bug 39243)

Hartmut.Keil at adnovum

Nov 20, 2009, 4:40 AM

Post #10 of 14 (1799 views)
Permalink

Re: handling request splicing in case of server initiated renegotiation CVE-2009-3555 [In reply to]

Joe Orton wrote:
> On Thu, Nov 19, 2009 at 04:05:34PM +0100, Hartmut Keil wrote:
>> With the proposed change, we prevent request splitting attacks based
>> on the TSL renegotiation flaw. From my point of view without
>> drawbacks, since 'pipelining' clients must handle the closing of a
>> connection after a complete response in any case.
>
> Yes, I agree, this seems very sensible, I can't see any problem with
> this.
>
> I would prefer to do it in a slightly more general way as below, which
> would catch the case where any other module's connection filter had
> buffered the data, and adds appropriate logging.
>

Ok, I agree with your approach, giving more information what happens.
(maybe having a trace with info would be enough, since it can occurr under
normal circumstances)

> (more general but which required half a day tracking down an obscure bug
> in the BIO/filters, also fixed below...)
yep, that fix is essential for the case here
>
> Testing on this version very welcome!

If have successfully tested the change with the following setup
(the one described in my initial mail):

o for the location /cert/* SSLVerifyClient require is configured

o the MTIM attacker is injecting one complete request that causes the
server to initiated the renegotiation.
And a second incomplete one for request splitting

The proposed change is dropping the second incomplete request. The file
ssldump.patched in the attachment shows the output of ssldump with the
change, the file ssldump.injected without.

Regards
Hartmut

>
> Index: ssl_engine_kernel.c
> ===================================================================
> --- ssl_engine_kernel.c (revision 882089)
> +++ ssl_engine_kernel.c (working copy)
> @@ -87,6 +87,29 @@
> return APR_SUCCESS;
> }
>
> +/* Do a non-blocking read from the connection filters to see whether
> + * there is any pending data on the connection. Return non-zero if
> + * there is, else zero. */
> +static int has_pending_data(request_rec *r)
> +{
> + apr_bucket_brigade *bb;
> + apr_off_t len;
> + apr_status_t rv;
> + int result;
> +
> + bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
> +
> + rv = ap_get_brigade(r->connection->input_filters, bb, AP_MODE_SPECULATIVE,
> + APR_NONBLOCK_READ, 1);
> + result = rv == APR_SUCCESS
> + && apr_brigade_length(bb, 1, &len) == APR_SUCCESS
> + && len > 0;
> +
> + apr_brigade_destroy(bb);
> +
> + return result;
> +}
> +
> /*
> * Post Read Request Handler
> */
> @@ -724,6 +747,23 @@
> else {
> request_rec *id = r->main ? r->main : r;
>
> + /* Mitigation for CVE-2009-3555: At this point, before
> + * renegotiating, an (entire) request has been read from
> + * the connection. An attacker may have sent further data
> + * to "prefix" any subsequent request by the victim's
> + * client after the renegotiation; this data may already
> + * have been read and buffered. Forcing a connection
> + * closure after the first response ensures such data will
> + * be discarded. Legimately pipelined HTTP requests will
> + * be retried anyway with this approach. */
> + if (has_pending_data(r)) {
> + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
> + "insecure SSL re-negotiation required, but "
> + "a pipelined request is present; keepalive "
> + "disabled");
> + r->connection->keepalive = AP_CONN_CLOSE;
> + }
> +
> /* do a full renegotiation */
> ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
> "Performing full renegotiation: "
> Index: ssl_engine_io.c
> ===================================================================
> --- ssl_engine_io.c (revision 882089)
> +++ ssl_engine_io.c (working copy)
> @@ -1344,9 +1344,17 @@
> }
> else {
> /* We have no idea what you are talking about, so return an error. */
> - return APR_ENOTIMPL;
> + status = APR_ENOTIMPL;
> }
>
> + /* It is possible for mod_ssl's BIO to be used outside of the
> + * direct control of mod_ssl's input or output filter -- notably,
> + * when mod_ssl initiates a renegotiation. Switching the BIO mode
> + * back to "blocking" here ensures such operations don't fail with
> + * SSL_ERROR_WANT_READ. */
> + inctx->block = APR_BLOCK_READ;
> +
> + /* Handle custom errors. */
> if (status != APR_SUCCESS) {
> return ssl_io_filter_error(f, bb, status);
> }
>

--
AdNovum Informatik AG
Hartmut Keil, Senior Software Engineer
Dipl. Physiker

Roentgenstrasse 22, CH-8005 Zurich
mailto:hartmut.keil [at] adnovum
phone: +41 44 272 6111, fax: +41 44 272 6312
http://www.adnovum.ch

AdNovum Locations: Bern, Budapest, San Mateo, Zurich (HQ)

Attachments:

ssldump.injected (6.72 KB)

ssldump.patched (5.81 KB)

rpluem at apache

Nov 26, 2009, 1:06 PM

Post #11 of 14 (1646 views)
Permalink

Re: handling request splicing in case of server initiated renegotiation CVE-2009-3555 [In reply to]

On 11/19/2009 04:58 PM, Joe Orton wrote:
> On Thu, Nov 19, 2009 at 04:05:34PM +0100, Hartmut Keil wrote:
>> With the proposed change, we prevent request splitting attacks based
>> on the TSL renegotiation flaw. From my point of view without
>> drawbacks, since 'pipelining' clients must handle the closing of a
>> connection after a complete response in any case.
>
> Yes, I agree, this seems very sensible, I can't see any problem with
> this.
>
> I would prefer to do it in a slightly more general way as below, which
> would catch the case where any other module's connection filter had
> buffered the data, and adds appropriate logging.
>
> (more general but which required half a day tracking down an obscure bug
> in the BIO/filters, also fixed below...)
>
> Testing on this version very welcome!

Anything that prevents this from committing?

Regards

Rüdiger

rpluem at apache

Dec 13, 2009, 9:59 AM

Post #12 of 14 (1440 views)
Permalink

Re: handling request splicing in case of server initiated renegotiation CVE-2009-3555 [In reply to]

On 26.11.2009 22:06, Ruediger Pluem wrote:
>
> On 11/19/2009 04:58 PM, Joe Orton wrote:
>> On Thu, Nov 19, 2009 at 04:05:34PM +0100, Hartmut Keil wrote:
>>> With the proposed change, we prevent request splitting attacks based
>>> on the TSL renegotiation flaw. From my point of view without
>>> drawbacks, since 'pipelining' clients must handle the closing of a
>>> connection after a complete response in any case.
>> Yes, I agree, this seems very sensible, I can't see any problem with
>> this.
>>
>> I would prefer to do it in a slightly more general way as below, which
>> would catch the case where any other module's connection filter had
>> buffered the data, and adds appropriate logging.
>>
>> (more general but which required half a day tracking down an obscure bug
>> in the BIO/filters, also fixed below...)
>>
>> Testing on this version very welcome!
>
> Anything that prevents this from committing?

Ping, Joe?

Regards

Rüdiger

jorton at redhat

Dec 16, 2009, 8:01 AM

Post #13 of 14 (1411 views)
Permalink

Re: handling request splicing in case of server initiated renegotiation CVE-2009-3555 [In reply to]

On Sun, Dec 13, 2009 at 06:59:37PM +0100, Ruediger Pluem wrote:
> On 26.11.2009 22:06, Ruediger Pluem wrote:
> > On 11/19/2009 04:58 PM, Joe Orton wrote:
> >> Yes, I agree, this seems very sensible, I can't see any problem with
> >> this.
> >>
> >> I would prefer to do it in a slightly more general way as below, which
> >> would catch the case where any other module's connection filter had
> >> buffered the data, and adds appropriate logging.
> >>
> >> (more general but which required half a day tracking down an obscure bug
> >> in the BIO/filters, also fixed below...)
> >>
> >> Testing on this version very welcome!
> >
> > Anything that prevents this from committing?
>
> Ping, Joe?

Sorry - trying to keep too many plates spinning at the moment:

Done in http://svn.apache.org/viewvc?view=revision&revision=891282

Regards, Joe

ruediger.pluem at vodafone

Dec 16, 2009, 8:20 AM

Post #14 of 14 (1410 views)
Permalink

RE: handling request splicing in case of server initiated renegotiation CVE-2009-3555 [In reply to]

> -----Original Message-----
> From: Joe Orton [mailto:jorton [at] redhat]
> Sent: Mittwoch, 16. Dezember 2009 17:02
> To: dev [at] httpd
> Subject: Re: handling request splicing in case of server
> initiated renegotiation CVE-2009-3555
>
> On Sun, Dec 13, 2009 at 06:59:37PM +0100, Ruediger Pluem wrote:
> > On 26.11.2009 22:06, Ruediger Pluem wrote:
> > > On 11/19/2009 04:58 PM, Joe Orton wrote:
> > >> Yes, I agree, this seems very sensible, I can't see any
> problem with
> > >> this.
> > >>
> > >> I would prefer to do it in a slightly more general way
> as below, which
> > >> would catch the case where any other module's connection
> filter had
> > >> buffered the data, and adds appropriate logging.
> > >>
> > >> (more general but which required half a day tracking
> down an obscure bug
> > >> in the BIO/filters, also fixed below...)
> > >>
> > >> Testing on this version very welcome!
> > >
> > > Anything that prevents this from committing?
> >
> > Ping, Joe?
>
> Sorry - trying to keep too many plates spinning at the moment:
>
> Done in http://svn.apache.org/viewvc?view=revision&revision=891282
>

Thanks Joe.

Regards

R�diger

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads