Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Test of disabled renegotiation in 0.9.8l

13 views
Skip to first unread message

Boyle Owen

unread,
Nov 11, 2009, 7:00:09 AM11/11/09
to
Greetings,

I am testing the behaviour of 0.9.8l with respect to client
renegotiation. The build is httpd-2.2.14 with openssl-0.9.8l on Solaris
10. I do:

$ openssl s_client -connect wibble:443
...
GET / HTTP/1.1
Host:wibble
R
RENEGOTIATING

Then the connection hangs and I get no further data back from the
server.
On http://wibble/server-status, I see:

6-0 17718 0/1/1 R 0.14 31 90 0.0 0.00 0.00 ? ? ..reading..

This stays like this until I kill the session. Is this the intended
behaviour? I thought it was supposed to drop the connection?

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.

This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message.
The sender's company reserves the right to monitor all e-mail communications through their networks.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List opens...@openssl.org
Automated List Manager majo...@openssl.org

Tomas Hoger

unread,
Nov 11, 2009, 11:23:06 AM11/11/09
to
On Wed, 11 Nov 2009 13:00:09 +0100 "Boyle Owen"
<Owen....@six-group.com> wrote:

> This stays like this until I kill the session. Is this the intended
> behaviour? I thought it was supposed to drop the connection?

Probably not intended, at least behavior of current 0.9.8-stable CVS is
different now. See my mail with quite similar question:
http://marc.info/?l=openssl-dev&m=125792743829558&w=2

Not an official answer, but hope it helps a bit.

th.

Boyle Owen

unread,
Nov 12, 2009, 5:29:50 AM11/12/09
to
> Probably not intended, at least behavior of current 0.9.8-stable CVS
is
> different now. See my mail with quite similar question:
> http://marc.info/?l=openssl-dev&m=125792743829558&w=2

Thanks Tomas, interesting post... I have tested various builds against
the client renegotiation vulnerability and get the following results:

httpd-2.2.14 (unpatched) with openssl-0.9.8l:
connection "hangs", both sides reading connection

httpd-2.2.14 (with CVE-2009-3555-2.2.patch) with openssl-0.9.8l:
connection "hangs", both sides reading connection

httpd-2.2.14 (with CVE-2009-3555-2.2.patch) with openssl-0.9.8k:
connection dropped by server with:
25217:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:534:

I don't want to risk connections getting hung up, so my conclusion is
that I should deploy the patched version of mod_ssl with 0.9.8k. Or is a
0.9.8m in the offing?

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.

PS: Test method:

$ openssl s_client -connect wibble:443
...
GET / HTTP/1.1
Host:wibble
R

PPS: Although I have subscribed to this list, I am not getting the mails
(I have to keep checking the archives). Is there anyone who can check
out my account?


This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message.
The sender's company reserves the right to monitor all e-mail communications through their networks.

Lutz Jaenicke

unread,
Nov 12, 2009, 7:43:08 AM11/12/09
to
Boyle Owen wrote:
> PPS: Although I have subscribed to this list, I am not getting the mails
> (I have to keep checking the archives). Is there anyone who can check
> out my account?
>

Hmm. If memory serves me right there was a "subscribe" message sent to
the list instead of the mailing list manager (which I then moderated
away)...
Please try again, we do have some handy form on the web page.

Best regards,
Lutz

0 new messages