Bug 152863 - mod_ssl SSLCipherSuite Restriction Bypass Vulnerability CAN-2004-0885
mod_ssl SSLCipherSuite Restriction Bypass Vulnerability CAN-2004-0885
Status: CLOSED DUPLICATE
Product: Fedora Legacy
Classification: Retired
Component: Package request (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://marc.theaimsgroup.com/?l=apach...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-12-02 14:21 EST by David Lawrence
Modified: 2008-05-01 11:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:30:07 EST
from http://marc.theaimsgroup.com/?l=apache-modssl&m=109724918128044&q=raw
===
Ralf, here's the fix I suggest for the CAN-2004-0885 SSLCipherSuite
bypass issue (http://issues.apache.org/bugzilla/show_bug.cgi?id=31505):
does it look OK?

I've tested this on a server running OpenSSL 0.9.6 from a custom-hacked
client which resumes the session during the renegotiation for a
per-dir-SSLCipherSuite, and it gets a 403 as expected.  I've tested the
equivalent patch for 2.0 against 0.9.7 and it renegotiates the cipher
suite properly as expected.

--- mod_ssl-2.8.12-1.3.27/pkg.sslmod/ssl_engine_init.c.can0885	2002-10-04
14:17:33.000000000 +0100
+++ mod_ssl-2.8.12-1.3.27/pkg.sslmod/ssl_engine_init.c	2004-10-08
13:35:15.000000000 +0100
@@ -602,6 +602,14 @@
     else
         SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER);
 
+#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+    /* 
+     * Disallow a session from being resumed during a renegotiation,
+     * so that an acceptable cipher suite can be negotiated.
+     */
+    SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
+#endif
+
     /*
      *  Configure callbacks for SSL context
      */
--- mod_ssl-2.8.12-1.3.27/pkg.sslmod/ssl_engine_kernel.c.can0885	2004-10-08
13:35:15.000000000 +0100
+++ mod_ssl-2.8.12-1.3.27/pkg.sslmod/ssl_engine_kernel.c	2004-10-08
13:35:41.000000000 +0100
@@ -665,7 +665,7 @@
     X509_STORE_CTX certstorectx;
     int depth;
     STACK_OF(SSL_CIPHER) *skCipherOld;
-    STACK_OF(SSL_CIPHER) *skCipher;
+    STACK_OF(SSL_CIPHER) *skCipher = NULL;
     SSL_CIPHER *pCipher;
     ap_ctx *apctx;
     int nVerifyOld;
@@ -1051,6 +1051,20 @@
                 return FORBIDDEN;
             }
         }
+        
+        /*
+         * Also check that SSLCipherSuite has been enforced as expected.
+         */
+        if (skCipher) {
+            pCipher = SSL_get_current_cipher(ssl);
+            if (sk_SSL_CIPHER_find(skCipher, pCipher) < 0) {
+                ssl_log(r->server, SSL_LOG_ERROR,
+                        "SSL cipher suite not renegotiated: "
+                        "access to %s denied using cipher %s",
+                        r->filename, SSL_CIPHER_get_name(pCipher));
+                return FORBIDDEN;
+            }
+        }
     }
 
     /*
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@modssl.org
Automated List Manager                            majordomo@modssl.org
===
also see http://issues.apache.org/bugzilla/show_bug.cgi?id=31505 and
http://www.securityfocus.com/bid/11360/



------- Additional Comments From marcdeslauriers@videotron.ca 2004-12-02 16:19:34 ----



*** This bug has been marked as a duplicate of 2148 ***



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:30 -------

This bug previously known as bug 2325 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2325
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl@redhat.com.
   Previous reporter was bugzilla.fedora.us@beej.org.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.


Note You need to log in before you can comment on or make changes to this bug.