CVE-2009-3555: SSL/TLS renegotiation MITM vulnerability

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

CVE-2009-3555: SSL/TLS renegotiation MITM vulnerability

sthen-2
The SSL/TLS protocol is subject to man-in-the-middle attacks
related to renegotiation (described in draft-ietf-tls-renegotiation-00)
allowing a MITM to inject chosen plaintext to the beginning of the
application data. Practical attacks exist against HTTPS and possibly
other protocols.

In -current, OpenSSL's ability to accept renegotiations has been
disabled by default. Patches are available for OpenBSD 4.6 and 4.5:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.5/common/010_openssl.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.6/common/004_openssl.patch

These are also available in the 4.5 and 4.6 -stable branches.

Loading...