SSL: Another Protocol Bites The Dust

R.A. Hettinga rah at shipwright.com
Thu Nov 5 07:59:18 PST 2009 

<http://www.links.org/?p=780>

Links


Ben Laurie blathering


Another Protocol Bites The Dust

For the last 6 weeks or so, a bunch of us have been working on a
really serious issue in SSL. In short, a man-in-the-middle can use SSL
renegotiation to inject an arbitrary prefix into any SSL session,
undetected by either end.

To make matters even worse, through a piece of (in retrospect)
incredibly bad design, HTTP servers will, under some circumstances,
replay that arbitrary prefix in a new authentication context. For
example, this is what happens if you configure Apache to require
client certificates for one directory but not another. Once it emerges
that your request is for a protected directory, a renegotiation will
occur to obtain the appropriate client certificate, and then the
original request (i.e. the stuff from the bad guy) gets replayed as if
it had been authenticated by the client certificate.

But it hasnt.

Not that the picture is all rosy even when client certificates are not
involved. Consider the attacker sending an HTTP request of his
choosing, ending with the unterminated line X-Swallow-This: . That
header will then swallow the real request sent by the real user, and
will cause any headers from the real user (including, say,
authentication cookies) to be appended to the evil request.

Its obviously going to take a little while for the world to patch
this  and since the news is spreading like wildfire Ive put up a
patch to OpenSSL that bans all renegotiation. Im sure an official
release will follow very shortly.

Note that the patch is against the head of the OpenSSL 0.9.8
development tree (that is, it is against 0.9.8l-dev). You may have to
do a little work to patch against other versions. And if you intend to
deploy this patch permanently, please change at least the textual
version of the version number, which you can find in crypto/
opensslv.h. Also note that if you need renegotiation for your site to
work, I have no solution for you, other than you redesign your site.
Sorry.

Share This
This entry was posted on Thursday, November 5th, 2009 at 8:03 and is
filed under Crypto, Open Source, Security. You can follow any
responses to this entry through the RSS 2.0 feed. You can leave a
response, or trackback from your own site.

More information about the cypherpunks-legacy mailing list