COMMAND
SSLeay and OpenSSL
SYSTEMS AFFECTED
Packages that use SSLeay and OpenSSL
PROBLEM
Following is based on OpenSSL and SSLeay Security Alert. It was
recently realised that packages that use SSLeay and OpenSSL may
suffer from a security problem: under some circumstances, SSL
sessions can be reused in a different context from their original
one. This may allow access controls based on client certificates
to be bypassed. Unfortunately, before the the problem was fully
understood, it was discussed on various public lists. The OpenSSL
team have therefore decided to release an interim version of
OpenSSL which addresses the problem by disabling session reuse
except in limited circumstances (see below). Although this
problem is not strictly a defect in OpenSSL, it is rather tricky
for applications to be coded correctly to avoid the problem due
to the sketchy nature of SSLeay/OpenSSL documentation.
SSL sessions include a session ID which allows initial setup to be
bypassed once a session has been established between a client and
server. This session ID, when presented by the client, causes the
same master key to be used as was used on the previous connection,
thus saving considerable session setup time. When the session is
reused in this manner, all access controls based on client
certificates are bypassed, on the grounds that the original
session would have made the necessary checks. Unfortunately, the
lack of documentation has resulted in the caching structures being
used in certain applications without appropriate care being taken
to assure that the cached sessions are only available at the
appropriate moments. As a result it is sometimes possible for a
specially written SSL client to fraudulently obtain an SSL
connection which requires access control by reusing a previous
session which had different or no access control. The problem
affects servers which support session reuse and which have
multiple virtual hosts served from a single server, where some
virtual hosts use differing client server verifications. Note
that "different" includes no verification on some hosts, and
verification on others, or different CAs for different hosts. In
order to exploit this problem carefully written client software
would need to be written. The attacker would need considerable
knowledge of the SSL protocol. Standard web browsers will not
and cannot be made to use SSL in this way.
Affected software includes all server software using SSLeay or
versions of OpenSSL prior to version 0.9.2b that support multiple
virtual hosts with different client certificate verification.
This includes, but is not limited to:
Apache-SSL http://www.apache-ssl.org/
mod_ssl http://www.engelschall.com/sw/mod_ssl/
Raven http://www.covalent.net/
Stronghold http://www.c2.net/
SOLUTION
A future version will deal with the problem more elegantly by
redoing verification on reused sessions when necessary. Download
OpenSSL 0.9.2b (see http://www.openssl.org) and build it in the
usual way. Check the application for updates, and download those,
too (NB: this step is not necessarily required, the updated
library will fix the problem). The versions of the applications
listed above that you should use are:
Apache_SSL 1.3.4+1.32
mod_ssl 2.2.6-1.3.4
Raven 1.4.0
Stronghold 2.4.2
Rebuild the application (if needed). If you are an application
author, you should look in to the use of
SSL_set_session_id_context(), which can be used to reenable
session reuse when appropriate.