Apache/mod_ssl vulnerability and mitigation
The following announcement has just been made to the announce mailing list:
Apache httpd is affected by CVE-2009-3555[1] (The SSL Injection or MiM attack[2]).
The Apache httpd webserver relies on OpenSSL for the implementation of the SSL/TLS protocol.
We strongly urge you to upgrade to OpenSSL 0.9.8l; and to be prepared to deploy OpenSSL 0.9.8m as it becomes available[3].
Note that these are for short term and mid-term mitigation only; the long term solution may well require a modification of the SSL and/or
TLS protocols[4].
For those who are not able to upgrade OpenSSL swiftly and/or for those who need detailed logging – we recommend that you roll out
this patch[5]:
http://www.apache.org/dist/httpd/patches/
apply_to_2.2.14 CVE-2009-3555-2.2.patch
sha1: 28cd58f3758f1add39417333825b9d854f4f5f43
as soon as possible. This is a partial fix in lieu of the protocol issues being addressed and further changes to OpenSSL. Like the
OpenSSL 0.9.8l stopgap measure this patch rejects in-session renegotiation.
If you are unable to patch and unable to roll our a newer version of OpenSSL, and you rely on Client Side Authentication with Certificates
then we recommend that you 1) ensure that you limit your configuration to a single ‘SSLClient require’ on VirtualHost/Sever level and 2)
remove all other (re)negotiation/require directives. However this does NOT fully protect you – it just curtails authentication in this
specific setting.
Did you enjoy this post? Why not subscribe to our feed and get articles like this delivered automatically to your feed reader.
Comments
No comments yet.
Leave a comment