[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS renotiation

To: Howard Chu <hyc@symas.com>
Subject: Re: TLS renotiation
From: Emmanuel Lecharny <elecharny@apache.org>
Date: Wed, 11 Nov 2009 00:59:27 +0100
Cc: Dieter Kluenter <dieter@dkluenter.de>, openldap-software@openldap.org, Ludovic Poitou <Ludovic.Poitou@Sun.COM>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=3t3CH6JewDJlESui1ziv62viFsvTeNLL4vMGt7vPHp8=; b=uv/XrSO9vEoscHl+v+Vlrk2mT8tj4IiVw81l2MRO/zxDeWsM3QYWPlkcYetLV+pUkN M83onbqQurMgj6nRn8sgEMD+v52YlxdklV6h7AfbrNkkqexkn3AbHbtv5YQx1j14M1EU LdrHstYeSynDZ5WfDCgKkMEbq6RLHMtXBfG48=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=UPj0S2HiwBAXW75/UQNXQY8vS0ZixHYqd/2hGnLuDe/0FWVobKlOr2QNpOT8S/zyt4 Es6+RuN3MKyvtO6ZLRuL5nAj/o8xKKbOx1TuBJvXU3jcpd+buBu7vdkAEwfxQajJ+Igg 2CagSTyCJbVhBzXluh+PAH51VziRyl0hB68jw=
In-reply-to: <4AF9C629.1010502@symas.com>
References: <87ws21o1yc.fsf@rubin.avci.de> <4AF69793.4040502@symas.com> <78ECD685-4A3F-4A31-BBD8-23F36D8E9924@sun.com> <4AF9C629.1010502@symas.com>
User-agent: Thunderbird 2.0.0.23 (X11/20090817)

Howard Chu wrote:

Ludovic Poitou wrote:

Howard,

Our security expert at Sun consider that the attack could be applied to
LDAP, although it will be more complex to achieve for all the good
reasons you've outline (session-oriented, with explicit authentication
attached to a session, and is a record-oriented ASN.1 encoded protocol
with precisely defined message structure).
The renegotiation in the attack is as far as I understand, driven by the
man in the middle, and so even though OpenLDAP slapd never request the
renegociation, it is still subject to the attack.


Hi Ludo, thanks for the note. Kurt and I were discussing this offline and he
has suggested a possible attack as well. I'm still not convinced of the
details but we'll continue to investigate.

Wondering if we (ApacheDS) can be a possible target, assuming that weare Java based. Any idea ?


--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org

Follow-Ups:
- Re: TLS renotiation
  - From: Howard Chu <hyc@symas.com>
- Re: TLS renotiation
  - From: Kurt Zeilenga <Kurt@OpenLDAP.org>

References:
- TLS renotiation
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: TLS renotiation
  - From: Howard Chu <hyc@symas.com>
- Re: TLS renotiation
  - From: Ludovic Poitou <Ludovic.Poitou@Sun.COM>
- Re: TLS renotiation
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: TLS renotiation
Next by Date: Re: TLS renotiation
Index(es):
- Chronological
- Thread