[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: TLS renotiation
Kurt Zeilenga wrote:
> I've now posted my preliminary report on the general impact of TLS
> renegotiation on LDAP to the ldapext@ietf.org list, for initial
> discussion there. A final report will be made available later, likely
> posted to ldap@umich.edu.
>
> This message is available in our local archive of this list: http://www.openldap.org/lists/ietf-ldapext/200911/msg00000.html
>
> Howard has already made a brief statement here regarding impact upon
> OpenLDAP Software on this list. In short summary, only the "milder
> issue" applies to OpenLDAP Software (and seems to a very minor
> concern). Clients can mitigate this issue as discussed in the
> report. Servers can mitigate this issue by disabling TLS
> renegotiations within their TLS library. Disabling TLS renegotiations
> in the server has side effects which might not be desirable in certain
> deployments.
OpenSSL 0.8.9l was quickly released in response to this attack. It is supposed
to disable TLS renegotiation support, but it has a number of bugs. Instead of
cleanly closing the session when a reneg occurs, it hangs. I suggest that
people hold off another couple days before deploying a TLS reneg fix. At least
for OpenLDAP, since in this case the cure is worse than the actual problem.
http://groups.google.com/group/mailing.openssl.dev/browse_thread/thread/4c36ff4db820e37c#
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/