DO NOT REPLY [Bug 48157] New: describe how to disable X-Header trick to attack client cert auth

https://issues.apache.org/bugzilla/show_bug.cgi?id=48157

           Summary: describe how to disable X-Header trick to attack
                    client cert auth
           Product: Tomcat 5
           Version: Unknown
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: critical
          Priority: P2
         Component: Connector:Coyote
        AssignedTo: dev@...
        ReportedBy: hauser@...


as per http://extendedsubset.com/Renegotiating_TLS.pdf p. 4:


Is there a way to disable X-Headers with GET like paths in coyote - is so,
describe in http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

see also bug 3463 and http://forums.sun.com/thread.jspa?messageID=10857837

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

https://issues.apache.org/bugzilla/show_bug.cgi?id=48157

--- Comment #1 from Ralf Hauser <hauser@...> 2009-11-07 08:09:41 UTC ---
see also Bug 48158

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

https://issues.apache.org/bugzilla/show_bug.cgi?id=48157

Mark Thomas <markt@...> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX

--- Comment #2 from Mark Thomas <markt@...> 2009-11-07 09:09:42 GMT ---
Chances are any attempt to filter these out could be defeated and there is
always a risk of a false positive. In addition, there may be other, more
complex, attack vectors that would not be blocked.

I just kicked off a discussion on the dev list. Feel free to join in there.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

https://issues.apache.org/bugzilla/show_bug.cgi?id=48157

--- Comment #3 from Ralf Hauser <hauser@...> 2009-11-09 04:06:08 UTC ---
Since we do not really have the option use "APR/Native" and we would be happy
to have X-Header fixing heuristics as another optional server.xml attribute.
You fear in comment 2 that there are other more complex attack vectors, but if
we can, shouldn't we fix the immediate and obvious ones all the same - even if
we can't guarantee that there aren't worse, but also more complex attack
vectors.

We happily offer to test and report at least for our setup.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

https://issues.apache.org/bugzilla/show_bug.cgi?id=48157

--- Comment #4 from Konstantin Kolinko <knst.kolinko@...> 2009-11-09 05:12:13 UTC ---
If you really want something like that, you can write a Filter or a Valve. See
org.apache.catalina.valves.RequestDumperValve for an example.

http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

https://issues.apache.org/bugzilla/show_bug.cgi?id=48157

--- Comment #5 from Mark Thomas <markt@...> 2009-11-09 06:08:15 GMT ---
My current understanding is that a filter/valve as proposed will do very little
to mitigate this attack as the SSL handshaking occurs at the JSSE level and is
simply not visible to the BIO & NIO connector code.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

https://issues.apache.org/bugzilla/show_bug.cgi?id=48157

Luciana Moreira <moreira@...> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |moreira@...

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...