SSL renegociation vulnerability

Hello

A question about the latest SSL vulnerability:
http://extendedsubset.com/?p=8

The data insertion is possible at SSL renegociation time. When do the
renegociation occur? We are told it happens when client certificate are
used, and on algorithm change.

When client certificates are not used, when do we have reneegociations?
And how the attacker is able to forecast the next renegociation? Because
it has for forecast in order to inject data, right?

--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Emmanuel Dreyfus wrote:
> Hello
>
> A question about the latest SSL vulnerability:
> http://extendedsubset.com/?p=8

I don't have an answer to your question, but for the sake of the list
archives, it should be pointed out that the ASF distributed work-around
patch has been imported into pkgsrc/www/apache22 about 7 weeks ago by
Matthias Scheler:

http://pkgsrc.se/files.php?messageId=20091004122135.3083A175DA@...

As far as getting OpenSSL 0.9.8l MITM-related changes backported, I'll
defer.

~BAS

Brian A. Seklecki (CFI NOC) <seklecki@...> wrote:

> I don't have an answer to your question, but for the sake of the list
> archives, it should be pointed out that the ASF distributed work-around
> patch has been imported into pkgsrc/www/apache22 about 7 weeks ago by
> Matthias Scheler:
>
> http://pkgsrc.se/files.php?messageId=20091004122135.3083A175DA@...

This fix is just about mod_proxy_ftp, not the whole SSL handshake bug,
isn't it?

--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

On Thu, 2009-12-03 at 04:16 +0100, Emmanuel Dreyfus wrote:
>
> This fix is just about mod_proxy_ftp, not the whole SSL handshake bug,
> isn't it?
>

Yea I was half asleep when I posted that.  Thanks for the catch.

However, I can confirm that:

  http://security.FreeBSD.org/patches/SA-09:15/ssl.patch

...applies cleanly.  Just made a release build.sh on netbsd-5 with it.
I certainly wont be sleeping any better, though, knowing that this is
the work-around.

~BAS

>

On Fri, Dec 04, 2009 at 01:13:52AM -0500, Brian Seklecki wrote:
>
> However, I can confirm that:
>
>   http://security.FreeBSD.org/patches/SA-09:15/ssl.patch

If this is the patch from OpenSSL 0.9.8l it should not be applied to
NetBSD; it is broken and introduces both forward *and* backwards API
and ABI incompatibility.

Thor

In article <20091204162709.GA11270@...>,
Thor Lancelot Simon  <tls@...> wrote:
>On Fri, Dec 04, 2009 at 01:13:52AM -0500, Brian Seklecki wrote:
>>
>> However, I can confirm that:
>>
>>   http://security.FreeBSD.org/patches/SA-09:15/ssl.patch
>
>If this is the patch from OpenSSL 0.9.8l it should not be applied to
>NetBSD; it is broken and introduces both forward *and* backwards API
>and ABI incompatibility.

Unfortunately I have not seen anything in the head of the OpenSSL tree
that addresses this issue so I have applied a similar patch to FreeBSD
that disables renegotiation completely for now. I would like to have
a better solution, but I don't see one.

christos

On Sat, Dec 05, 2009 at 03:30:57AM +0000, Christos Zoulas wrote:
Actually, OpenSSL HEAD gets it pretty much right.

The problem with what OpenSSL 0.9.8l did is that it:

        1) Leaves the connection hung rather than closing it after the
           renegotiation attempt.

        2) Uses a different API/ABI for renegotiation control than what
           they did two days later in OpenSSL HEAD, without any backwards
           compatibility!

Thor

On Dec 4, 10:52pm, tls@... (Thor Lancelot Simon) wrote:
-- Subject: Re: SSL renegociation vulnerability

| On Sat, Dec 05, 2009 at 03:30:57AM +0000, Christos Zoulas wrote:
| > In article <20091204162709.GA11270@...>,
| > Thor Lancelot Simon  <tls@...> wrote:
| > >On Fri, Dec 04, 2009 at 01:13:52AM -0500, Brian Seklecki wrote:
| > >>
| > >> However, I can confirm that:
| > >>
| > >>   http://security.FreeBSD.org/patches/SA-09:15/ssl.patch
| > >
| > >If this is the patch from OpenSSL 0.9.8l it should not be applied to
| > >NetBSD; it is broken and introduces both forward *and* backwards API
| > >and ABI incompatibility.
| >
| > Unfortunately I have not seen anything in the head of the OpenSSL tree
| > that addresses this issue so I have applied a similar patch to FreeBSD
| > that disables renegotiation completely for now. I would like to have
| > a better solution, but I don't see one.
|
| Actually, OpenSSL HEAD gets it pretty much right.
|
| The problem with what OpenSSL 0.9.8l did is that it:
|
| 1) Leaves the connection hung rather than closing it after the
|   renegotiation attempt.
|
| 2) Uses a different API/ABI for renegotiation control than what
|   they did two days later in OpenSSL HEAD, without any backwards
|   compatibility!

I'll import head then.

christos

On Dec 5, 2009, at 9:10 AM, Christos Zoulas wrote:

> I'll import head then.

We still need to figure out what to do for the release branches.

On Dec 5,  8:17pm, snj@... (Soren Jacobsen) wrote:
-- Subject: Re: SSL renegociation vulnerability

| On Dec 5, 2009, at 9:10 AM, Christos Zoulas wrote:
|
| > I'll import head then.
|
| We still need to figure out what to do for the release branches.

Apply the patch from FreeBSD to disable renegotiation?

christos

On Sun, Dec 06, 2009 at 11:00:55AM -0500, Christos Zoulas wrote:
What a mess.  The problem is that the head of the OpenSSL-0.9.8 branch
in their CVS looks like OpenSSL-current API-wise, while the released
0.9.8l (which wasn't even generated from their CVS -- it has residue
of hand-patching in the release tar file!) is API and ABI incompatible.

I cannot seem to get an answer from them as to whether they intend to
fix the API botch in a later 0.9.8 release.  It's exasperating.

What I would actually be inclined to do is:

        1) Bring the release branches to 0.9.8-stable from a recent
           CVS snapshot.

        2) Try to figure out a way to implement the 0.9.8l renegotiation-
           control API but adjusted such that it doesn't do anything.  This
           is dangerous though if they reuse the relevant flag bit in a
           later otherwise ABI-compatible release.

I do not understand why they changed the renegotiation control from a
"FLAG" to an "OP" on the SSL * object but they did and that is why we
are in this mess.  I wish I could get an explanation of that too other than
"using a flag was a bad idea".

Maybe if someone else asks "on behalf of NetBSD"...

Thor