I am testing the behaviour of 0.9.8l with respect to client
renegotiation. The build is httpd-2.2.14 with openssl-0.9.8l on Solaris
10. I do:
$ openssl s_client -connect wibble:443
...
GET / HTTP/1.1
Host:wibble
R
RENEGOTIATING
Then the connection hangs and I get no further data back from the
server.
On http://wibble/server-status, I see:
6-0 17718 0/1/1 R 0.14 31 90 0.0 0.00 0.00 ? ? ..reading..
This stays like this until I kill the session. Is this the intended
behaviour? I thought it was supposed to drop the connection?
Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message.
The sender's company reserves the right to monitor all e-mail communications through their networks.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List opens...@openssl.org
Automated List Manager majo...@openssl.org
> This stays like this until I kill the session. Is this the intended
> behaviour? I thought it was supposed to drop the connection?
Probably not intended, at least behavior of current 0.9.8-stable CVS is
different now. See my mail with quite similar question:
http://marc.info/?l=openssl-dev&m=125792743829558&w=2
Not an official answer, but hope it helps a bit.
th.
Thanks Tomas, interesting post... I have tested various builds against
the client renegotiation vulnerability and get the following results:
httpd-2.2.14 (unpatched) with openssl-0.9.8l:
connection "hangs", both sides reading connection
httpd-2.2.14 (with CVE-2009-3555-2.2.patch) with openssl-0.9.8l:
connection "hangs", both sides reading connection
httpd-2.2.14 (with CVE-2009-3555-2.2.patch) with openssl-0.9.8k:
connection dropped by server with:
25217:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:534:
I don't want to risk connections getting hung up, so my conclusion is
that I should deploy the patched version of mod_ssl with 0.9.8k. Or is a
0.9.8m in the offing?
Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.
PS: Test method:
$ openssl s_client -connect wibble:443
...
GET / HTTP/1.1
Host:wibble
R
PPS: Although I have subscribed to this list, I am not getting the mails
(I have to keep checking the archives). Is there anyone who can check
out my account?
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message.
The sender's company reserves the right to monitor all e-mail communications through their networks.
Hmm. If memory serves me right there was a "subscribe" message sent to
the list instead of the mailing list manager (which I then moderated
away)...
Please try again, we do have some handy form on the web page.
Best regards,
Lutz