[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS renegotiation

William A. Rowe Jr. wrote:
> Howard Chu wrote:
>> Emmanuel Lecharny wrote:
>>> Wondering if we (ApacheDS) can be a possible target, assuming that we 
>>> are Java based. Any idea ?
>> I think Kurt's post already outlined the points of exposure but just to recap:
>> Renegotiation for privilege escalation is only a threat if the server
>> automatically and implicitly uses the client's certificate for authentication.
> That is fine as it goes.
> But there are other factors involved in the TLS renegotiation sequence, not just
> simply requesting client certificate authentication, and none of that matters
> because the MITM has already injected their self into this stream.
> Unless all other forms of negotation are rejected outright, the problem remains.

Most of it is a non-problem; the MITM cannot inject any operations that will
run under the client's credentials. Nor can it eavesdrop on the encrypted
traffic or tamper with it once underway. It's a lot of work for no gain.

> I'm more interested to know if anyone has looked at the question of which clients
> or servers are using renegotiation features (remember tlsv1_alert import nonsense?)
> or if openldap works just fine with OpenSSL 0.9.8l (renegotiation-crippled) provider.

As I already said here


OpenSSL 0.9.8l is broken, renegotiation requests will hang the connection.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/