SSL: Another Protocol Bites The Dust

R.A. Hettinga rah at shipwright.com
Thu Nov 5 10:59:18 EST 2009


<http://www.links.org/?p=780>

Links


Ben Laurie blathering


Another Protocol Bites The Dust

For the last 6 weeks or so, a bunch of us have been working on a  
really serious issue in SSL. In short, a man-in-the-middle can use SSL  
renegotiation to inject an arbitrary prefix into any SSL session,  
undetected by either end.

To make matters even worse, through a piece of (in retrospect)  
incredibly bad design, HTTP servers will, under some circumstances,  
replay that arbitrary prefix in a new authentication context. For  
example, this is what happens if you configure Apache to require  
client certificates for one directory but not another. Once it emerges  
that your request is for a protected directory, a renegotiation will  
occur to obtain the appropriate client certificate, and then the  
original request (i.e. the stuff from the bad guy) gets replayed as if  
it had been authenticated by the client certificate.

But it hasn’t.

Not that the picture is all rosy even when client certificates are not  
involved. Consider the attacker sending an HTTP request of his  
choosing, ending with the unterminated line “X-Swallow-This: “. That  
header will then swallow the real request sent by the real user, and  
will cause any headers from the real user (including, say,  
authentication cookies) to be appended to the evil request.

It’s obviously going to take a little while for the world to patch  
this – and since the news is spreading like wildfire I’ve put up a  
patch to OpenSSL that bans all renegotiation. I’m sure an official  
release will follow very shortly.

Note that the patch is against the head of the OpenSSL 0.9.8  
development tree (that is, it is against 0.9.8l-dev). You may have to  
do a little work to patch against other versions. And if you intend to  
deploy this patch permanently, please change at least the textual  
version of the version number, which you can find in crypto/ 
opensslv.h. Also note that if you need renegotiation for your site to  
work, I have no solution for you, other than you redesign your site.  
Sorry.

Share This
This entry was posted on Thursday, November 5th, 2009 at 8:03 and is  
filed under Crypto, Open Source, Security. You can follow any  
responses to this entry through the RSS 2.0 feed. You can leave a  
response, or trackback from your own site.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list