|

Computer Security

»

Encryption and Cryptography

»

»

TLS renegotiation vulnerability question

View: New views

6 Messages — Rating Filter: Alert me

	TLS renegotiation vulnerability question by Ben Sandee :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Can someone tell me whether or not an individual client and server, neither of which ever requests a renegotiation, will be vulnerable to this as a pair? I realize that the server is vulnerable if it is used with a client that requests renegotiation because prior OpenSSL versions accept all client-initiated renegotiations. But is it possible for a MITM attacker to inject a client or server renegotiation request to an otherwise secure connection? Thanks, Ben ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@... Automated List Manager majordomo@...
	Re: TLS renegotiation vulnerability question by Victor Duchovni :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Fri, Nov 06, 2009 at 02:27:10PM -0600, Ben Sandee wrote: > Can someone tell me whether or not an individual client and server, > neither of which ever requests a renegotiation, will be vulnerable to > this as a pair? Yes, provided the server allows client initiated re-negotiation. > I realize that the server is vulnerable if it is used > with a client that requests renegotiation No, the re-negotiated is requested by the evil MITM, not the client. > But is it > possible for a MITM attacker to inject a client or server > renegotiation request to an otherwise secure connection? Yes. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@... Automated List Manager majordomo@...
	Re: TLS renegotiation vulnerability question by Ben Sandee :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message > >> But is it >> possible for a MITM attacker to inject a client or server >> renegotiation request to an otherwise secure connection? > > Yes. Thank you Viktor for your very prompt reply. This matches what I've been reading about this exploit, however it is not clear to me how this is possible. Mustn't the injected client-hello message be encrypted using the session key established when the SSL session is established? If so, how does the MITM obtain this? I suppose this may be a central part of the exploit -- and something that I need not necessarily understand as long as I accept that it is in fact possible... Thank you again, Ben ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@... Automated List Manager majordomo@...
	Re: TLS renegotiation vulnerability question by Ben Sandee :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Fri, Nov 6, 2009 at 2:35 PM, Ben Sandee <tbsandee@...> wrote: >> >>> But is it >>> possible for a MITM attacker to inject a client or server >>> renegotiation request to an otherwise secure connection? >> >> Yes. > > Thank you Viktor for your very prompt reply. This matches what I've > been reading about this exploit, however it is not clear to me how > this is possible. Mustn't the injected client-hello message be > encrypted using the session key established when the SSL session is > established? If so, how does the MITM obtain this? I suppose this > may be a central part of the exploit -- and something that I need not > necessarily understand as long as I accept that it is in fact > possible... Never mind, I have seen a protocol state diagram now at http://extendedsubset.com/Renegotiating_TLS_pd.pdf which illustrates the issue very well for me. Thanks, Ben ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@... Automated List Manager majordomo@...
	Re: TLS renegotiation vulnerability question by Bruce Stephens-4 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Ben Sandee <tbsandee@...> writes: [...] > Thank you Viktor for your very prompt reply. This matches what I've > been reading about this exploit, however it is not clear to me how > this is possible. The clearest description I've read is EKR's: <http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html> [...] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@... Automated List Manager majordomo@...
	Re: TLS renegotiation vulnerability question by Ben Sandee :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Fri, Nov 6, 2009 at 2:52 PM, Bruce Stephens <bruce.stephens@...> wrote: > Ben Sandee <tbsandee@...> writes: > > [...] > >> Thank you Viktor for your very prompt reply. This matches what I've >> been reading about this exploit, however it is not clear to me how >> this is possible. > > The clearest description I've read is EKR's: > <http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html> Yes, I had seen that but it wasn't until I had the context of the protocol diagram that it all came together and then this page was indeed a valuable resource. Thank you. Ben ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@... Automated List Manager majordomo@...