Web Stack and the TLS Vulnerability

Recently I have written to some length about the SSL/TLS renegotiation vulnerability (CVE-2009-3555) from the perspective of our Sun Web Server 7.

What about Web Stack?

Unlike Web Server which uses NSS for its SSL/TLS implementation, the various components in Web Stack use OpenSSL for the same purpose. Therefore, the state of the vulnerability for Web Stack components depend on whether OpenSSL has been updated to prevent the renegotiation attack (mostly).

The key is that Web Stack does not ship a private copy of OpenSSL - it uses the OpenSSL libraries present in the system. So it comes down to whether the system OpenSSL is vulnerable or not.


Unfortunately on Red Hat the patched OpenSSL is not yet available so Web Stack remains vulnerable on that platform.


 


[1] The Solaris 10 patches are documented in the corresponding Sun Alert: http://sunsolve.sun.com/search/document.do?assetkey=1-66-273029-1

[2] In Web Stack 1.6 Apache httpd module mod_ssl has been patched to disable client-initiated renegotiation, offering potential relief. However, this combination is safe only if customer makes sure no server-initiated renegotiation is configured.

Comments:

Post a Comment:
Comments are closed for this entry.
About

jyri

Search

Top Tags
Categories
Archives
VersionOpenSolarisSolaris 10Red Hat Linux
Web Stack 1.5 / OpenSolaris 2009.06 Safe only when openssl-0.9.8l shows up in release repo Safe, once Sun Alert[1] fixes are installed by user Vulnerable, no relief available
Upcoming Web Stack 1.6 / OpenSolaris 2010.03 Safe (openssl-0.9.8l already in dev repo) Safe, once Sun Alert[1] fixes are installed by user Vulnerable[2], no relief available
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today