Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 152863 - mod_ssl SSLCipherSuite Restriction Bypass Vulnerability CAN-2004-0885
Summary: mod_ssl SSLCipherSuite Restriction Bypass Vulnerability CAN-2004-0885
Keywords:
Status: CLOSED DUPLICATE
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: Package request
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
URL: http://marc.theaimsgroup.com/?l=apach...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-12-02 19:21 UTC by David Lawrence
Modified: 2008-05-01 15:38 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description David Lawrence 2005-03-30 23:30:07 UTC
from http://marc.theaimsgroup.com/?l=apache-modssl&m=109724918128044&q=raw
===
Ralf, here's the fix I suggest for the CAN-2004-0885 SSLCipherSuite
bypass issue (http://issues.apache.org/bugzilla/show_bug.cgi?id=31505):
does it look OK?

I've tested this on a server running OpenSSL 0.9.6 from a custom-hacked
client which resumes the session during the renegotiation for a
per-dir-SSLCipherSuite, and it gets a 403 as expected.  I've tested the
equivalent patch for 2.0 against 0.9.7 and it renegotiates the cipher
suite properly as expected.

--- mod_ssl-2.8.12-1.3.27/pkg.sslmod/ssl_engine_init.c.can0885	2002-10-04
14:17:33.000000000 +0100
+++ mod_ssl-2.8.12-1.3.27/pkg.sslmod/ssl_engine_init.c	2004-10-08
13:35:15.000000000 +0100
@@ -602,6 +602,14 @@
     else
         SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER);
 
+#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+    /* 
+     * Disallow a session from being resumed during a renegotiation,
+     * so that an acceptable cipher suite can be negotiated.
+     */
+    SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
+#endif
+
     /*
      *  Configure callbacks for SSL context
      */
--- mod_ssl-2.8.12-1.3.27/pkg.sslmod/ssl_engine_kernel.c.can0885	2004-10-08
13:35:15.000000000 +0100
+++ mod_ssl-2.8.12-1.3.27/pkg.sslmod/ssl_engine_kernel.c	2004-10-08
13:35:41.000000000 +0100
@@ -665,7 +665,7 @@
     X509_STORE_CTX certstorectx;
     int depth;
     STACK_OF(SSL_CIPHER) *skCipherOld;
-    STACK_OF(SSL_CIPHER) *skCipher;
+    STACK_OF(SSL_CIPHER) *skCipher = NULL;
     SSL_CIPHER *pCipher;
     ap_ctx *apctx;
     int nVerifyOld;
@@ -1051,6 +1051,20 @@
                 return FORBIDDEN;
             }
         }
+        
+        /*
+         * Also check that SSLCipherSuite has been enforced as expected.
+         */
+        if (skCipher) {
+            pCipher = SSL_get_current_cipher(ssl);
+            if (sk_SSL_CIPHER_find(skCipher, pCipher) < 0) {
+                ssl_log(r->server, SSL_LOG_ERROR,
+                        "SSL cipher suite not renegotiated: "
+                        "access to %s denied using cipher %s",
+                        r->filename, SSL_CIPHER_get_name(pCipher));
+                return FORBIDDEN;
+            }
+        }
     }
 
     /*
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@modssl.org
Automated List Manager                            majordomo@modssl.org
===
also see http://issues.apache.org/bugzilla/show_bug.cgi?id=31505 and
http://www.securityfocus.com/bid/11360/



------- Additional Comments From marcdeslauriers@videotron.ca 2004-12-02 16:19:34 ----



*** This bug has been marked as a duplicate of 2148 ***



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:30 -------

This bug previously known as bug 2325 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2325
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl@redhat.com.
   Previous reporter was bugzilla.fedora.us@beej.org.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.




Note You need to log in before you can comment on or make changes to this bug.