[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS renotiation

Kurt Zeilenga wrote:
> I've now posted my preliminary report on the general impact of TLS  
> renegotiation on LDAP to the ldapext@ietf.org list, for initial  
> discussion there.  A final report will be made available later, likely  
> posted to ldap@umich.edu.
> This message is available in our local archive of this list: http://www.openldap.org/lists/ietf-ldapext/200911/msg00000.html
> Howard has already made a brief statement here regarding impact upon  
> OpenLDAP Software on this list.  In short summary, only the "milder  
> issue" applies to OpenLDAP Software (and seems to a very minor  
> concern).  Clients can mitigate this issue as discussed in the  
> report.  Servers can mitigate this issue by disabling TLS  
> renegotiations within their TLS library.  Disabling TLS renegotiations  
> in the server has side effects which might not be desirable in certain  
> deployments.

OpenSSL 0.8.9l was quickly released in response to this attack. It is supposed
to disable TLS renegotiation support, but it has a number of bugs. Instead of
cleanly closing the session when a reneg occurs, it hangs. I suggest that
people hold off another couple days before deploying a TLS reneg fix. At least
for OpenLDAP, since in this case the cure is worse than the actual problem.


  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/