[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS renotiation

Subject: Re: TLS renotiation
From: Howard Chu <hyc@symas.com>
Date: Wed, 11 Nov 2009 12:14:47 -0800
Cc: openldap-software@openldap.org
In-reply-to: <4FA88D55-157D-4C5B-ABEE-9A69917BE563@OpenLDAP.org>
References: <87ws21o1yc.fsf@rubin.avci.de> <4AF69793.4040502@symas.com> <78ECD685-4A3F-4A31-BBD8-23F36D8E9924@sun.com> <4AF9C629.1010502@symas.com> <4AF9FE5F.1020804@nextury.com> <4FA88D55-157D-4C5B-ABEE-9A69917BE563@OpenLDAP.org>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9.1.5pre) Gecko/20091025 Lightning/1.0pre SeaMonkey/2.0a1pre Firefox/3.0.3

Kurt Zeilenga wrote:
> I've now posted my preliminary report on the general impact of TLS  
> renegotiation on LDAP to the ldapext@ietf.org list, for initial  
> discussion there.  A final report will be made available later, likely  
> posted to ldap@umich.edu.
> 
> This message is available in our local archive of this list: http://www.openldap.org/lists/ietf-ldapext/200911/msg00000.html
> 
> Howard has already made a brief statement here regarding impact upon  
> OpenLDAP Software on this list.  In short summary, only the "milder  
> issue" applies to OpenLDAP Software (and seems to a very minor  
> concern).  Clients can mitigate this issue as discussed in the  
> report.  Servers can mitigate this issue by disabling TLS  
> renegotiations within their TLS library.  Disabling TLS renegotiations  
> in the server has side effects which might not be desirable in certain  
> deployments.

OpenSSL 0.8.9l was quickly released in response to this attack. It is supposed
to disable TLS renegotiation support, but it has a number of bugs. Instead of
cleanly closing the session when a reneg occurs, it hangs. I suggest that
people hold off another couple days before deploying a TLS reneg fix. At least
for OpenLDAP, since in this case the cure is worse than the actual problem.

http://groups.google.com/group/mailing.openssl.dev/browse_thread/thread/4c36ff4db820e37c#

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- TLS renotiation
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: TLS renotiation
  - From: Howard Chu <hyc@symas.com>
- Re: TLS renotiation
  - From: Ludovic Poitou <Ludovic.Poitou@Sun.COM>
- Re: TLS renotiation
  - From: Howard Chu <hyc@symas.com>
- Re: TLS renotiation
  - From: Emmanuel Lecharny <elecharny@apache.org>
- Re: TLS renotiation
  - From: Kurt Zeilenga <Kurt@OpenLDAP.org>

Prev by Date: Re: Troubleshooting synchronization
Next by Date: Re: Troubleshooting synchronization
Index(es):
- Chronological
- Thread