I’m researching this months plaintext injection vulnerability in TLS (openssl). It’s real and affects all existing releases of the SSL and TLS protocol family. Good sysadmins will be installing as a matter of urgency (as of 12th Dec, Netcraft reported that 24 of the top 100 sites had updated).
In the spirit of the internet, 90% of the words below are not mine.
Vulnerability Database National Vulnerability Database (NVD) National(CVE-2009-3555)
“The TLS protocol, and the SSL protocol 3.0 as used in… mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l… does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions..”
TLS renegotiation attack. More bad news for SSL | Cupfighter.net
While the attack only works for the first request sent over a TLS session (subsequent renegotiation requests are sent in the encryption context and can thus not be inserted) M[an in the middle] could force the session to reset after x seconds of inactivity by sending a reset packet to both Client and Server, thus forcing a new TCP and TLS session to be re-established and thus gaining a new window of opportunity.
In response to this attack OpenSSL (Nov 8th) released OpenSSL 0.9.8l which does fix the vulnerability, but disables renegotiation completely. This change to OpenSSL may break certain applications so it should be carefully tested before it is implemented. [Server-side HTTPS will generally not be broken.]
This attack will first appear in highly targeted scenarios. Since the attack is a man in the middle attack the attacker will have to have control over all the traffic between client and server and vice versa in order to fully exploit the attack. With this attack TLS does not fully protect the integrity of the communication between client and server.
The root of the problem is servers that perform (allow) TLS renegotiations and make flawed assumptions about what a successful TLS renegotiation means for the data previously received.
PhoneFactors Status of Patches
Understanding the TLS Renegotiation Attack – Educated Guesswork
‘CVE-2009-3555 – apache/mod_ssl vulnerability and mitigation’ – MARC
Links » Another Protocol Bites The Dust
Extended Subset » Blog Archive » Authentication Gap in TLS Renegotiation
The Secure Goose: TLS renegotiation vulnerability (CVE-2009-3555)
Confidence 2009.02 – Cupfighter renegotiation vulnerability slides
TLS Test here:
Renegotiation Test | netsekure rn