CVE-2009-3555: SSL/TLS renegotiation MITM vulnerability

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
Report Content as Inappropriate

CVE-2009-3555: SSL/TLS renegotiation MITM vulnerability

The SSL/TLS protocol is subject to man-in-the-middle attacks
related to renegotiation (described in draft-ietf-tls-renegotiation-00)
allowing a MITM to inject chosen plaintext to the beginning of the
application data. Practical attacks exist against HTTPS and possibly
other protocols.

In -current, OpenSSL's ability to accept renegotiations has been
disabled by default. Patches are available for OpenBSD 4.6 and 4.5:


These are also available in the 4.5 and 4.6 -stable branches.