[Date Prev][Date Next]
Re: TLS renotiation
- To: Howard Chu <firstname.lastname@example.org>
- Subject: Re: TLS renotiation
- From: Emmanuel Lecharny <email@example.com>
- Date: Wed, 11 Nov 2009 00:59:27 +0100
- Cc: Dieter Kluenter <firstname.lastname@example.org>, email@example.com, Ludovic Poitou <Ludovic.Poitou@Sun.COM>
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=3t3CH6JewDJlESui1ziv62viFsvTeNLL4vMGt7vPHp8=; b=uv/XrSO9vEoscHl+v+Vlrk2mT8tj4IiVw81l2MRO/zxDeWsM3QYWPlkcYetLV+pUkN M83onbqQurMgj6nRn8sgEMD+v52YlxdklV6h7AfbrNkkqexkn3AbHbtv5YQx1j14M1EU LdrHstYeSynDZ5WfDCgKkMEbq6RLHMtXBfG48=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=UPj0S2HiwBAXW75/UQNXQY8vS0ZixHYqd/2hGnLuDe/0FWVobKlOr2QNpOT8S/zyt4 Es6+RuN3MKyvtO6ZLRuL5nAj/o8xKKbOx1TuBJvXU3jcpd+buBu7vdkAEwfxQajJ+Igg 2CagSTyCJbVhBzXluh+PAH51VziRyl0hB68jw=
- In-reply-to: <4AF9C629.firstname.lastname@example.org>
- References: <email@example.com> <4AF69793.firstname.lastname@example.org> <78ECD685-4A3F-4A31-BBD8-23F36D8E9924@sun.com> <4AF9C629.email@example.com>
- User-agent: Thunderbird 22.214.171.124 (X11/20090817)
Howard Chu wrote:
Wondering if we (ApacheDS) can be a possible target, assuming that we
are Java based. Any idea ?
Ludovic Poitou wrote:
Our security expert at Sun consider that the attack could be applied to
LDAP, although it will be more complex to achieve for all the good
reasons you've outline (session-oriented, with explicit authentication
attached to a session, and is a record-oriented ASN.1 encoded protocol
with precisely defined message structure).
The renegotiation in the attack is as far as I understand, driven by the
man in the middle, and so even though OpenLDAP slapd never request the
renegociation, it is still subject to the attack.
Hi Ludo, thanks for the note. Kurt and I were discussing this offline and he
has suggested a possible attack as well. I'm still not convinced of the
details but we'll continue to investigate.