[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS renotiation

To: Emmanuel Lecharny <elecharny@apache.org>
Subject: Re: TLS renotiation
From: Howard Chu <hyc@symas.com>
Date: Tue, 10 Nov 2009 16:28:15 -0800
Cc: Dieter Kluenter <dieter@dkluenter.de>, openldap-software@openldap.org, Ludovic Poitou <Ludovic.Poitou@Sun.COM>
In-reply-to: <4AF9FE5F.1020804@nextury.com>
References: <87ws21o1yc.fsf@rubin.avci.de> <4AF69793.4040502@symas.com> <78ECD685-4A3F-4A31-BBD8-23F36D8E9924@sun.com> <4AF9C629.1010502@symas.com> <4AF9FE5F.1020804@nextury.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9.1.5pre) Gecko/20091025 Lightning/1.0pre SeaMonkey/2.0a1pre Firefox/3.0.3

Emmanuel Lecharny wrote:
> Howard Chu wrote:
>> Ludovic Poitou wrote:
>>   
>>> Howard,
>>>
>>> Our security expert at Sun consider that the attack could be applied to
>>> LDAP, although it will be more complex to achieve for all the good
>>> reasons you've outline (session-oriented, with explicit authentication
>>> attached to a session, and is a record-oriented ASN.1 encoded protocol
>>> with precisely defined message structure).
>>> The renegotiation in the attack is as far as I understand, driven by the
>>> man in the middle, and so even though OpenLDAP slapd never request the
>>> renegociation, it is still subject to the attack.

>> Hi Ludo, thanks for the note. Kurt and I were discussing this offline and he
>> has suggested a possible attack as well. I'm still not convinced of the
>> details but we'll continue to investigate.

> Wondering if we (ApacheDS) can be a possible target, assuming that we 
> are Java based. Any idea ?

Kurt will be posting a more extensive message on the topic later. I suppose
your degree of exposure depends on certain details of your implementation of
ldaps:// and/or StartTLS. In the case of OpenLDAP, it is impossible for a MITM
to perform a privilege escalation with this attack. There are other things an
attacker could do, such as nullifying a particular client request. It amounts
to being able to DOS a specific client or a specific user, which is
interesting and annoying, but also highly traceable...

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- TLS renotiation
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: TLS renotiation
  - From: Howard Chu <hyc@symas.com>
- Re: TLS renotiation
  - From: Ludovic Poitou <Ludovic.Poitou@Sun.COM>
- Re: TLS renotiation
  - From: Howard Chu <hyc@symas.com>
- Re: TLS renotiation
  - From: Emmanuel Lecharny <elecharny@apache.org>

Prev by Date: Re: TLS renotiation
Next by Date: RE: hdb_search: does not match filter
Index(es):
- Chronological
- Thread