Jens Schoenershoven | 9 Nov 17:10 2009
Picon

Backporting Apache HTTPD 2.2.15 Patch for OpenSSL issue

Dear User List,

is there any plan to have a backport of Apache HTTPD Patch 2.2.15 (as an 
alternative Workaround for the OpenSSL issue about Renegotiating 
TLS-Connections) for mod_ssl in combination with Apache HTTPD 1.3?

Regards,
Jens Schoenershoven
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

jpguilloteau | 9 Nov 22:02 2009
Picon

Jean-Pierre Guilloteau est absent.


I will be out of the office starting Fri 06/11/09 and will not return until
Mon 16/11/09.

I will respond to your message when I return.

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

David Rosenstrauch | 19 Nov 21:19 2009
Picon

SSLRequire problem

Hi.  I'm tearing my hair out over an SSLRequire directive that doesn't 
seem to be working.  Can anyone help?

The directive is actually quite simple:

    # Require SSL over non-obvious port 81 for SVN access
    SSLRequire %{SERVER_PORT} == 81

This is actually working fine when the client is a web browser.  (i.e., 
using HTTPD method GET).

But the server is actually hosting Subversion (via WebDAV), so the 
client is an SVN client (which uses HTTP methods OPTIONS, PROPFIND, and 
REPORT).  And when the URL is accessed that way it fails, with the 
following appearing in the log:

[Thu Nov 19 19:37:53 2009] [error] [client <my ip address>] access to 
<our SVN path> failed, reason: SSL requirement expression not fulfilled 
(see SSL logfile for more details)

Even when I crank up the debugging, I still don't get any useful info as 
to what's happening:

[Thu Nov 19 19:37:53 2009] [info] Failed expression: %{SERVER_PORT} == 81

Anyone have any idea what's going on here?  Is there any way to debug 
the SSLRequire expression?

I'm using mod_ssl 2.2.3 with Apache on CentOS 5.2.

(Continue reading)

Joe Orton | 20 Nov 10:50 2009
Picon

Re: SSLRequire problem

On Thu, Nov 19, 2009 at 03:19:00PM -0500, David Rosenstrauch wrote:
> Hi.  I'm tearing my hair out over an SSLRequire directive that doesn't  
> seem to be working.  Can anyone help?
>
> The directive is actually quite simple:
>
>    # Require SSL over non-obvious port 81 for SVN access
>    SSLRequire %{SERVER_PORT} == 81

The port which %{SERVER_PORT} expands to is determined by the settings 
of UseCanonicalPhysicalPort and UseCanonicalName.  For different 
combinations it will depend on either what the client sends in the 
request's Host header, what the ServerName directive is set to in the 
vhost, or what httpd derives as the "canonical" name for the vhost to be 
otherwise.

See docs for more info:

http://httpd.apache.org/docs/2.2/mod/core.html#usecanonicalname
http://httpd.apache.org/docs/2.2/mod/core.html#usecanonicalphysicalport

Regards, Joe
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

David Rosenstrauch | 20 Nov 16:28 2009
Picon

Re: SSLRequire problem

On 11/20/2009 04:50 AM, Joe Orton wrote:
> On Thu, Nov 19, 2009 at 03:19:00PM -0500, David Rosenstrauch wrote:
>> Hi.  I'm tearing my hair out over an SSLRequire directive that doesn't  
>> seem to be working.  Can anyone help?
>>
>> The directive is actually quite simple:
>>
>>    # Require SSL over non-obvious port 81 for SVN access
>>    SSLRequire %{SERVER_PORT} == 81
> 
> The port which %{SERVER_PORT} expands to is determined by the settings 
> of UseCanonicalPhysicalPort and UseCanonicalName.  For different 
> combinations it will depend on either what the client sends in the 
> request's Host header, what the ServerName directive is set to in the 
> vhost, or what httpd derives as the "canonical" name for the vhost to be 
> otherwise.
> 
> See docs for more info:
> 
> http://httpd.apache.org/docs/2.2/mod/core.html#usecanonicalname
> http://httpd.apache.org/docs/2.2/mod/core.html#usecanonicalphysicalport
> 
> Regards, Joe

Huh!  Never heard of those before!

OK, well, I'm still not sure I quite understand the reason why, but 
"UseCanonicalPhysicalPort on" does seem to have fixed the problem.

Thanks much for the help!
(Continue reading)

Rainer Jung | 22 Nov 01:21 2009
Picon

[PATCH] Backport patch for CVE-2009-3555 from Apache 2.x

Hi,

I backported the patch against CVE-2009-3555 from Apache trunk, 2.2 and
2.0 (proposed). The patch is available at

http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41.patch

CVE-2009-3555 is about the Man in the Middle attack against HTTPS.
The patch disables the use of client initiated SSL renegotiation. Server
initiated reneg is still allowed (and vulnerable).

See also:

http://svn.apache.org/viewvc?rev=833582&view=rev
http://svn.apache.org/viewvc?rev=833622&view=rev
http://people.apache.org/~rjung/patches/cve-2009-3555_httpd_2_0_x-v2.patch

Backport is not totally straightforward, because the original patches
use the filter architecture not present in Apache 1.3.

Any Feedback on the patch is welcome. Some additional debug output can
be activated by using -DRENEG_DEBUG.

Regards,

Rainer
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org
(Continue reading)

Jean-Christophe Baptiste | 23 Nov 01:29 2009
Picon

error in SSLv2/v3 read client hello A

Hi all,

I have been using client certificate for a while (more than 2 years)
successfuly.

But now, after migrating a server, I am stuck with a problem that I have
no idea how to handle.
I just spent 10 hours googling around and reading the doc without
finding any clue.

On my new set-up, the web browser seems to reject the negociation :

[Sun Nov 22 22:51:36 2009] [info] [client ::1] Connection to child 2
established (server www.***.net:443)
[Sun Nov 22 22:51:36 2009] [info] Seeding PRNG with 656 bytes of entropy
[Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1875): OpenSSL:
Handshake: start
[Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL:
Loop: before/accept initialization
[Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read
11/11 bytes from BIO#7f35d1213840 [mem: 7f35d1218f00] (BIO dump follows)
[Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1791):
+-------------------------------------------------------------------------+
[Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1830): | 0000: 4f 50
54 49 4f 4e 53 20-2a 20 48                 OPTIONS * H      |
[Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1836):
+-------------------------------------------------------------------------+
[Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1912): OpenSSL:
Exit: error in SSLv2/v3 read client hello A
[Sun Nov 22 22:51:36 2009] [info] [client ::1] SSL library error 1 in
(Continue reading)

John Lightsey | 23 Nov 18:57 2009
Picon

Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x

On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote:
> Backport is not totally straightforward, because the original patches
> use the filter architecture not present in Apache 1.3.
> 
> Any Feedback on the patch is welcome. Some additional debug output can
> be activated by using -DRENEG_DEBUG.
> 

There are a few lines of c99 syntax in this patch (variable declarations
of "char *reneg" in the middle of code) that cause it to fail with gcc
2.95.

Seems to work fine otherwise.

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

Rainer Jung | 23 Nov 21:59 2009
Picon

Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x

On 23.11.2009 18:57, John Lightsey wrote:
> On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote:
>> Backport is not totally straightforward, because the original patches
>> use the filter architecture not present in Apache 1.3.
>>
>> Any Feedback on the patch is welcome. Some additional debug output can
>> be activated by using -DRENEG_DEBUG.
>>
> 
> There are a few lines of c99 syntax in this patch (variable declarations
> of "char *reneg" in the middle of code) that cause it to fail with gcc
> 2.95.

Sorry, I forgot to fix those. Thanks for the feedback.

> Seems to work fine otherwise.

Good to know! The more eyes the better.

Regards,

Rainer
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

Rainer Jung | 23 Nov 22:12 2009
Picon

Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x

On 23.11.2009 18:57, John Lightsey wrote:
> On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote:
>> Backport is not totally straightforward, because the original patches
>> use the filter architecture not present in Apache 1.3.
>>
>> Any Feedback on the patch is welcome. Some additional debug output can
>> be activated by using -DRENEG_DEBUG.
>>
> 
> There are a few lines of c99 syntax in this patch (variable declarations
> of "char *reneg" in the middle of code) that cause it to fail with gcc
> 2.95.
> 
> Seems to work fine otherwise.

Thanks again. I updated the patch:

http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v2.patch

The only changes are in ssl_engine_io.c, where the declaration of "char
*reneg" is moved 4 times to the beginning of the function. Anything else
you observed?

Regards,

Rainer
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org
(Continue reading)


Gmane